Lecture Notes in 
Computer Science 



1746 



Michael Walker (Ed.) 



Cryptography 
and Coding 

7th IMA International Conference 
Cirencester, UK, December 1999 
Proceedings 



Springer 




Lecture Notes in Computer Science 1746 

Edited by G. Goes, J. Hartmanis and J. van Leeuwen 




Berlin 

Heidelberg 

New York 

Barcelona 

Hong Kong 

London 

Milan 

Paris 

Singapore 

Tokyo 




Michael Walker (Ed.) 



7th IMA International Conference 
Cirencester, UK, December 20-22, 1999 
Proceedings 




Series Editors 



Gerhard Goos, Karlsruhe University, Germany 
Juris Hartmanis, Cornell University, NY, USA 
Jan van Leeuwen, Utrecht University, The Netherlands 

Volume Editor 

Michael Walker 

Vodafone Limited 

The Courtyard, 2-4 London Road 

Newbury, Berkshire RG14 IJX, UK 

E-mail : mike . walker @vf.vodafone. co.uk 



Cataloglng-ln-Publlcation data applied for 



Die Deutsche Bibliothek - CIP-Einheitsaufnahme 

Cryptography and coding : . . . IMA international conference . . . ; proceedings. - 
5[?]-. - Berlin ; Heidelberg ; New York ; Barcelona ; Hong Kong ; London ; 

Milan ; Paris ; Singapore ; Tokyo : Springer, 1995[?]- 
(Lecture notes in computer science ; . . . ) 

7. Cirencester, UK, December 20 - 22, 1999. - 1999 
(Lecture notes in computer science ; 1746) 

ISBN 3-540-66887-X 



CR Subject Classification (1998): E.3-4, G.2.1, C.2, J.l 
ISSN 0302-9743 

ISBN 3-540-66887-X Springer- Verlag Berlin Heidelberg New York 



This work is subject to copyright. All rights are reserved, whether the whole or part of the material is 
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, 
reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication 
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, 
in its current version, and permission for use must always be obtained from Springer- Verlag. Violations are 
liable for prosecution under the German Copyright Law. 

© Springer-Verlag Berlin Heidelberg 1999 
Printed in Germany 

Typesetting: Camera-ready by author 

SPIN: 10750021 06/3142 - 5 4 3 2 1 0 Printed on acid-free paper 




Preface 



fi 

future of cryptography and coding 




VI 



Preface 




Contents 



Applications of Exponential Sums in Communications Theory 1 

Some Applications of Bounds for Designs to the Cryptography 25 

Further Results on the Relation Between Nonlinearity and 

Resiliency for Boolean Functions 35 

Combinatorial Structure of Finite Fields with Two 

Dimensional Modulo Metrics 45 

A New Method for Generating Sets of Orthogonal Sequenees for 
a Synchronous CDMA System 56 

New Self-Dual Codes over GF(5) 63 

Designs, Intersecting Families, and Weight of Boolean 

Funetions 70 

Coding Applications in Satellite Communieation Systems 81 

A Unified Code 84 

Enhanced Image Coding for Noisy Channels 94 

Perfectly Secure Authorization and Passive Identification 

for an Error Tolerant Biometric System 104 




VIII Contents 



An Encoding Scheme for Dual Level Access to Broadcasting 

Networks 114 

Photograph Signatures for the Protection of Identification 

Documents 119 

An Overview of the Isoperimetric Method in Coding Theory 129 

Rectangular Basis of a Linear Code 135 

Graph Decoding of Array Error- Correcting Codes 144 

Catastrophicity Test for Time- Varying Convolutional Encoders 153 

Low Complexity Soft-Decision Sequential Decoding Using 

Hybrid Permutation for Reed-Solomon Codes 163 

On Efficient Decoding of Alternant Codes over a Commutative 

Ring 173 

Reduced Complexity Sliding Window BCJR Decoding Algorithms 

for Turbo Codes 179 

Advanced Encryption Standard (AES) - An Update 185 

The Piling-Up Lemma and Dependent Random Variables 186 

A Cryptographic Application of Weil Descent 191 

Edit Probability Correlation Attack on the Bilateral Stop/Go 

Generator 201 




Look-Up Table Based Large Finite Field Multiplication in 
Memory Constrained Cryptosystems 



Contents 



IX 



On the Combined Fermat/Lucas Probable Prime Test 



On the Cryptanalysis of Nonlinear Sequences 



Securing Aeronautical Telecommunications 



Tensor-Based Trapdoors for CVP and Their Application to 
Public Key Cryptography 



Delegated Decryption 



Fast and Space-Efficient Adaptive Arithmetic Coding 



Robust Protocol for Generating Shared RSA Parameters 



Some Soft-Decision Decoding Algorithms for Reed-Solomon 
Codes 



Weaknesses in Shared RSA Key Generation Protocols 



Digital Signature with Message Recovery and Authenticated 
Encryption (Signcryption) - A Comparison 



213 

222 

236 

243 

244 
258 
270 
280 

290 

300 

307 



Index 



313 




Applications of Exponential Sums in 
Communications Theory 
[Invited Paper] 

h 

o o 

k o o 

o o ok - o 
o 

kpOhplb . hpl . hp . com 

0 0 0 0 0 o 

o o o 



Abstract. o 

o o 
o o 



1 Introduction 



h h 



h h F 

h 



X y 

h h h h 



X X 



h y h 

h y 

X F h - 

y h h 

j h h h 9 h 

h hy h 

h j h - 

j y h h- h y h 

h y X y 



h h h h h 

h h y h y 

h h X y 

X h h 

fly h h 

X h y 

xh h 

V h 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 1-24, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




o 



h 



h 




h 



h 



h 

y h y 



h 



X 



h 



h 



y 



h 



h 

h h X 

h 

y 

h y 



h 

h 

h 

X 

X 



y y - 



X 

y fly 



2 Finite Fields, Their Characters, and the Dual BCH 
Codes 

h 

h h X 



h h 



h 



h h 

h h 

h h 

h h 

h 



h h h 

F 2 ™ - 

h F2™ h 



h X y 

1 1 
X h h 

y y F 

j h fl 



X y 

h y h 



h 

F 2 " F2"» 



F 2 ' 



F2" h 
F 2 " 

F 2 " 

y h 

h h 

h F2" 



y 

h F2" 

-z F2^ 

y 



h 



h 

h 




0 0 o 



o o 



y h 



h 

h -F2" 



h 

h 



F2" 



h h 
0 h trivial 

h - h 



F2" h y 

) -F2" 

h additive characters F2" y y 

h h h F2" 



E 

— F2'?^ 



F2" 



X - h 
h - 



h 



h multiplicative characters F2" h y h 



Fy„ - 



h 0 

h 



h 



h trivial 



h h 



h 



- 2- 



F2" 

h 

1 3 

h 



h - - - 



2 -1 



2 -1 



■ F2" 



2"-2 



c y 



h C 

h -z 



h h h 
2 -1 



2"-2 



y 

F2" h y h 



y h h h C 

h F2 h 

- - F2" - h y 

y h h h y 




h h 



C h 

h z 



h z X 



h y 



3 Exponential Sums 



h h 



h h h 
h 

h h F 



h h y X 



h h exponential sums with polynomial argument Weil sums 

h h X y X h 

h h y z y h h 

h h z h h 

h h z- h y h 

h z 

Result 1 [66, 4] With notation as above, 



y z 

h 



y h 



h h 

h h h 

h h h 

X h h y 

y h h y 

y y F2" 







o o 



o 



o 



o 



o 



3.1 Exponential Sums and Curves over Finite Fields 



h h 



h h h 

y h 

y X h 



h h 

h 



Lemma 1 [32, Theorem 2.25] For — F 2 " , we have tr^ if and only if 

^ for some — F 2 " . 



F2^ 



h X 

li ()) F2„ ^ 

— — F2" 1 



■ F2" 1 



h y h X 

h ^ h y h 

h affine curve h 

2 h h h 

h 

h h y h 

E - -- 

— F2'fi 

1 h h 



— F2" 

h 

h 



2 -2 -1 



h 



y 



h h j 

y 



h j 



E 

— F2^ 



li ( )) 



F 




o 




1 2 y 

y the Riemann 

y y h h 




2 




o o 



o 



o 



o 



o 



h 

1 h 
1 2 



h j 

h h y 

j 

h h y 



y 



h 



X 

h 



h 



h 



h 



h 



j 



h 




h 




h 



h 

h 

X 



y h h 

y h h 

y 

hy h h - 

y h 



3.2 Hybrid Exponential Snms 

y hy X X h h h 

h h 

h hy h 



Definition 1 Let be an additive charaeter and a multiplicative character of 
F2" . Then the Gaussian sum is defined by 

E 

h y 

h 



Resnlt 2 Let be a non-trivial additive character and a non-trivial multi- 
plicative character of F2" . Then 

2 



hy h 


h 


h z ^ y 


h y 


h h 




h z h h h h 




h 


h 


X y h every 




h 








y X 




h y h 


- 


h 




h 




Result 3 Let 


be a non-trivial multiplicative character of F2" of order 


with 


— — . Let 


be a non- 


-trivial additive character 0/F2" . Let — F2" 


have 


distinct roots and 


— F2" have degree . Suppose that 




and that is odd. Then 









h h 



h 



h 



o 



h y 

h y y 

h h h 

h h z h 



h h h hy 
h h h 



4 Application: Minimum Distance of Dual BCH Codes 



h C 



Cl 



X y 
h 



h h h -z 

h X 



h h h 



h h 
h -z 

h 1 

F2" 



E 

— F2'^ 



E 

-F„„ 



T( ) 



1 



1 



h 

j h 
y h 
h 



h h h 

h h 
-1 



-1 



y h h 

h C 



-z y 



h h 
h 

y -z Cl h 

h 

h h 

h -z C 

h z 
h 



E 

— F2^ 



li ( )) 



E . 

— F2^ 



-1 



-1 



h h 

Theorem 4. Suppose — — — ^ . Then the minimum Hamming 

distanee of C is at least 



h 




o o 



o 



o 



o 



o 



5 Application: Sequence Sets with Low Periodic 
Correlations 



h 



y 

h 

X 



y h 
h 
h 



y 



y h 



h 

h 



h 



h 



h 



h 



h 

y h h 



5.1 Periodic Correlation Functions 



0 12 0 
y h h + 

h periodic cross-correlation 



+ 



X- 



h 



-1 

E 



“ + 



— h periodic cross-correlation function 

h y h 

h periodic auto- correlation h 



h 



h 



h 

h 



E 



-1 

=0 



y 



h 

h h 

y 

h 

non-trivial auto- correlations 



h 




h 



5.2 A Simplified Model for CDMA Communications 

X 

h y h 

y h h h h 

y h 

h j h 

h spreading code h h j 

h 



h 



X- 



0 12 




o 



h 

h 



E- 



=0 



h delay 



h 

h h 



spread y h 

0 12 h 



h h y 

h h h 



-1 / -1 



y 



h h 

t 

h 

h h 



EE 

=0 y =0 

e(e 

=0 V =0 



h 

h 



h X 



h 



y h 
h 



+ .7 + 



E- 



h y 

h — h h 
h h 
h y 



y h h 

y h 



X- 



max 



X 

1 - 




o o 



o 



o 



o 



o 



X 

0 - 



max 

h 



max ^ max max 

ll h max h. 



max 

9 h h 



j h 



9 



5.3 The m-Sequences and Their Periodic Correlations 

h - h h h 



F2" h 
1 



0 1 



binary -sequence 
h 



F 2 " 



-1 



h - 

z 

y 



y h 



h 

h 



Lemma 2 Let be a binary -sequence of period 
corresponding complex-valued sequence. Then for — 
AC 



and let be the 
— , we have 



Proof. h 



2"-2 



E - 

=0 

>^-2 

i: - 



-i+T 



=0 

2’"-2 



=0 

E 

— Fon 



?[(!+ ") 1 
h 7 



E 

—¥2'^ 



1 




o 



h 7 



□ 



5.4 Sequence Sets from m-Sequences 

h 

X h - 

y X h - 



F2" 



0 1 y 1 
h 



h 

h 



=0 



E 

—¥2^ 



_ T( + 



- y- 



h z 

y h 



h h 



h h y h h y - 

X 

h 

h max 

y h h 

X y 

-( +2) 2- h h 

- h 



h y 



y 



h 

X 



F2" F2 ti I 

F2 h 



h h h 
9 h 



binary 



h h 

h h 

h h y h 

y 

y h h X 




o o 



o 



o 



o 



o 



h h y 



X y 



h rank h h 

h 
h 



h j 



h y 



5.5 Sequence Sets from Dual BCH Codes 



- - y 



h h 



(-1) h 

C h y 

y h 

X h h 

h X 



h h 



2 +1 



(2 + 1 ) 



2 +1 



2 +1 




o 



h -z y h — 

y 

Theorem 5. The sequence set — contains *• sequences of period — 
and satisfies Cmax — — — *• 

h h h h 

h C h h y h 

h h C y h 



h h y 

h -2 

j h h 

h h h y h 

y max 2 

Gold-like codes 



6 Application: Aperiodic and Partial Correlations 

y h - - 

h h h 



partial 



h h aperiodic cross-correlation 



h aperiodic auto -correlation function 




o o 



o 



o 



o 



o 



X y h 



y 

h h partial cross-correlation 



h 


h h 

y 


h 




Y1 + “ + + 

=0 




y 


h partial auto-correlation y 







h 


h h 






h 














y 




y 


h 


y y h 








y h 


y 




9 




y 


9 


h 






y y 


y 


h 




h 






y h 






h 








y h 










h h 


h 


X 














h 


h 






h 






h h 


h 








h 




X 








h 






h 








h h 






h X h 






h 




- 




- 


h 












h 






y 


h 




h 


X 




y 




h - 




h 


X hy X 






y 




h 










h 


h y 




h 


h 










h 




h y - h 






y 




h 


h 


h y 












9 














— 


y 














r 






- z 








l h 










h 


h 


h 











-1 



+ 




o 



X 

y 

X 



h 



h 

y 0 1 

h h 



0 



-1 

E 



X- 



h Discrete Fourier Transform (DFT) of 

h h 



Inverse DFT 




h 



X 



h 



h h y 

Lemma 3 Let be defined as above. Then 



ek_ 

k _ 



if - 
if 



y X 



h 



-1 -1 

-EE 

=0 =0 




h - 



-1 

E — - 



7 



— F2' 




h X 

h 7 — h 

1(7 ’) - 



h 



r( •) 



7 




o o 



o 



o 



o 



o 



0 



h 




h h h 




X 



h 

y 



h 

y 



Theorem 6. Let be the — — —valued version of an -sequenee of period 

— . Then for any and any — , we have 



1 2 



h 

y hy X 

h h 



h y - 
h h 

h 



h y 



h 

h 

h 



h 

- h y 

h y 
h 

h h 

h h 

h h 

h 
h 



h 



h 

h h 

h h 



y 



h 



y - 



h 



7 Application: The Power Control Problem in OFDM 

h y X h- 

h h y y - - 

h 

h h h - 

- h h 




!=^ «<; 



o 



y 



X h 

y h 

h h h y h h 

h h y C 

0 1 -1 —C h 

h h 



h - h 



-1 



=0 



(2 ) 



h h h j h ^ 

h y 

h X 

h envelope power h 
h h 

h y y h - ^ - 

h peak-to-mean envelope power ratio 



h h 
h 

2 ^ 
h 

h 



X ■ 



C — 



X X - 



h y 



h 

C h h h 
h 

y h 



h h 



h 



h h 

h X 

OFDM power eontrol problem 



y 

h 

y h 



h 

h 



y 



C h h 
C 




o o 



o 



o 



o 



o 



h 

C h 



h 

h y 



h h hy 
h 



E- 



li ( ^)) 



x-^i- - 



y h 



E - 



T( ( n) (2 



hy X 

h 



h y 
h 



h - h 



h h h 



_ (2 ) _ 2 



li ( E) 



h h h-h yhy 

h h - 2 

h h h-h y 

h h h 

y h h 

- y h-h y 

Lemma 4 [46] Let be a degree — polynomial and write 7 ) 

Then 





o 



h 



h h h 



h 



h 



h 

X 



h X 



Theorem 7. LetC denote the code obtained by removing the all-zero word from 
the length — dual BCH code C . Then 



PMEPR C~ - 




2 



h 




h 

y 



y 




h 



h h 



h 




^ h h 
h h 

h 

h 

y h 



h 

h h h 

X h h 

2 



h h X 

h h h 



h 



h 



h h 



8 Further Applications and Literature 



h 

X 



h h 



h 



h 



h 



h h 



X 



E - 

— F2f^ 



h 

y 



h 



h z 



h 



y 



h 



h 



y 



elliptic curves 
h h 

h 



— F2' 



h 



y 

h 



h 



h 



h 

-1 _ 2 
h 



h h 
h 

h 




o o 



o 



o 



o 



o 



- y- 
h h 



reciprocal 



h h h 

h 



h h 
h 



h 



h 



h h 
h z- h y 



X h 

9 

X 

h z- h y 

X h 

h 

- y h 



- h y h 

h h y h 

y 



h y 9 
h y h 



rings h h 
h h fl 



hy 



h hy 



y 

y 



h y 

h 



y h h X 

h h 
h 



References 



0 0 o 

o o EBU Review 

O 0 0 

o IEEE Commun. Magazine 

IEEE Trans. Inform. Theory 

o o o 



k o o 
Duke Math. J. 



0 0 - o - 

o lEE Colloquium on ‘High Speed Access Technology 

and Services, Including Video-on-Demand’ 

o o o o o - 

o o IEEE Trans. Commun. 

k- o- o o o o o - 

o IEEE Trans. Inform. Theory o 



Publ. Math. IHES 




o 



o Spread Spectrum Systems 
tion) o k 

o o o 

IEEE Trans. Inform. Theory 
o o o 

Information and Computation o 
ok o o 



with Commercial Applications (3rd edi- 
o o o GF " 

o o o GF " o 

o Amer. J. Math. 



Sequence design for communications applications 
o k 

o 0 0 ok 

Trans, of lEICE 



o 

Trans. Inform. Theory 
o 

IEEE Trans. Inform. Theory 

o o o 

Inform. Theory 
o 

Z4- o ok 

Inform. Theory 

o 

Discrete. Appl. Math, 
o 

00 00 m- 

o 

Mathematicae 



o 



o 



o q 

k 

o 

o o 

00 o 

preprint 
o o 



IEEE 

00 o 

IEEE Trans. 

o o 

o IEEE Trans. 

o 

00 o 

Acta Applicandae 



o A Classical Introduction to Modern Number Theory 
(2nd edition), Graduate Texts in Mathematics Vol. 8f 

k Finite Fields — Structure and Arithmetics 



do o 000 

IEEE Trans. Inform. Theory 



o 



o 



o 



o 



o 



o 



o 



o o 



o 

o o 



o 



o 

IEEE Trans. Inform. 
o o 
o 



k 00- 

o IEEE Trans. Inform. Theory 

k o 

o o IEEE Trans. Inform. Theory 

00 o 

IEEE Trans. Inform. Theory 

o k 00 o 

Comptes Rendu Academic Science Paris 

0000 o 

Theory 

00 o 

Soviet Math. Dokl. 




o o 



o 



o 



o 



o 



(End Edition) 

o o 



Introduction to finite fields and their applications 

Finite Fields o o 

o 



o o o 



o AAECC 



o The Theory of Error- Correcting Codes 
o 

Finite fields for computer scientists and engineers o o 

o o Algebraic Curves over Finite Fields 



0 0 o o 

o IEEE Trans. Inform. Theory 

0 0 0 0 - o o 

0-0 o o 

Trans. Inform. Theory - o 

o o O 0 0 

o Finite Fields and their Applications 

o o o o 

Inform. Theory 

O 0 0 

o o o o o 

Theory 

o o 

Inform. Theory - o 

o o o 



IEEE 



IEEE Trans. 



o 



IEEE Trans. Inform. 
IEEE Trans. 



o 



IEEE Transactions on Information Theory 



O - O 0 0 0 

Transactions on Information Theory o 

o o 0 0 o o o 

IEEE Transactions on Information Theory 
o ok 

o o oo o o k- o- o o 

Packard Laboratories Technical Report HPL-1999-51, submitted 
littp : //www.hpl .hp . com/techreports/1999/HPL- 1999-51 .html 

Handbook of Coding Theory Vols. I & II 



IEEE 



o 

Hewlett- 



o o o o 

Proc. of Conf. on Information Sciences and Systems 
o 



Commun. 

0 0 0 o 

o o 

Trans. Inform. Theory 



o 



o 

I EE Proc. (F) 
o o o 

o 



o o 
o 



o o o o 



o ok 



IEEE Trans. 
00 o- 

lEEE 




o 



OO O OOO 00 

IEEE Trans. Inform. Theory 

0-0 OO O OO 

Proc. IEEE 

Equations Over Finite Fields — An Elementary Approach. Lecture 
Notes in Mathematics, Vol. 536 

0 0 0 0 
o o OOO Applied Algebra, Algebraic Algorithms 

and Error-Correcting Codes (AAECC- 10 ) o o 

o IEEE Trans. Inform. Theory 

o 

o Number Theory in Science and Communication ( 3 rd edition) 



O 0 0 

IEEE Trans. Inform. Theory 

ko o 



o o 
o o 



0 0 o 

OOO q- 

Soviet Math. Dokl. 



o 

munications, 

o 



o 

Vol. 1 o ok 

Algebraic Function Fields and Codes 



Spread Spectrum Com- 
o k 



o 

IEEE Trans. Inform. Theory. 

o o 

ok o 



o o 



o 

o 



o 



o 



o 



o 

k 



o o Z4 IEEE Trans. Inform. Theory 



o 



o 



o 



o o Elements of Number Theory o ok 

Sur les courbes algebriques et les varietes qui s’en deduisent, Actualites 
Sci. et Ind. no. IO4I 

000 000 IEEE Trans. 

Inform. Theory 




Some Applications of Bounds for Designs to the 

Cryptography 



1 k * n n 1 k 

Department of Mathematics and Informatics 
Veliko Tarnovo University 
5000 Veliko Tarnovo, Bulgaria 
svetla_venci@hotmail . com 



Abstract. Recent years have seen numerous examples where designs 
play an important role in the study of such topics in cryptography as 
secrecy and authentication codes, secret sharing schemes, correlation- 
immune and resilient functions. In this paper we give applications of 
some methods and results from the design theory, especially bounding 
the optimal size of the designs and codes, to cryptography. We give a 
new bound for the parameter t, when (n, T, t)-resilient functions and 
correlation-immune functions of order t exist. In the last section we 
present analogous bound for the parameter N of T-wise independent 
t-resilient function. 



1 Introduction 

n X y n n 1 



n 


n 


code design 






minimal distance 


n X y 


n 


1 n 






x,y C,x=y 






1 




X y n X y 


n 


n 


n 








n 


n n 




n n n 




1 


n n 






11 


n n 


n 


1 


n Inn 


n 


n n 


n 1 










Definition 1.1 


A set will be referred to as 


a -design in 


with respect to 


the substitution 




if for any polynomial f 


in a real of degree at most , 


/ / 


f 


X y X y — 


- E/ 


X y 








x,y C 





* Supported by a junior research fellowship of the Katholieke Universiteit Leuven, 
Belgium. 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 25-34, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




26 



Svetla Nikova and Ventsislav Nikov 











n — 


— 














n 


11 




n 




n n 






- 




n 


n 








— 0 


1 


n ~ 




distance distribution 




dual distance distribution 




11 




11 


n 








n 












“ 0 


1 


n 




dual distance 








11 
















i 




external distanee 






n 


















i 




n 






















n 






n n 


1 


n 








n 






1 




n 






11 n n 




1 






n 


n 
















n n f xi 


Xn 


Xi 


- 


V 


- 






- 


- 


- 


n 


f 




Xji w 


n 


n 






n 








1 










n 1 Xi 








n 


n 


n 


n 




n 




1 






n 1 


n 


/ 












1 








k 


1 


w 


n n 


/ 11 






1 n 




n 












n n 


n n 


- 


1 




n 






/ 








n 


n 


n n 


V 


n n 






1 












1 






T 

w 






n 


11 




1 








- 


w 




1 


n n / n 


n 












n 




n 


fl Xl 


Xn 




Jt Xi Xji 




n 

V 




V 






n 




n 


n 


n 


n 


1 


n 




1 




11 












n 


n 


n 




1 balaneed 


/ 


1 n 




n 


n 


n 










n 






n n 










1 


n 








n 






n n n n 


V 


n 


n 




1 








1 


n 








n n 11 




-resilient 




1 




1 


n 






n 


n 




n 1 n 




n n 








n 










A 


1 


n 


n 








n 


0 


1 






d 




- - 


- 




1 


n n 


A 
























nn 1 




n 




j 


— 


















n A 




1 n 1 


n 




— 




- 


- 




- 


- 


1 


i Ai In 


1 


n 














1 






n 


n 


i Ai 










n 


n 








i 












n 




n 














n 




- 


i A n 


n 


n 1 n 






n 




n 




n 




1 




n 


n 




- 


n 


n 1 






1 








n 




n 


n In 1 




n 
























n 11 


n 








n 






1 




n 




1 




n n 


n 


n n 


n 












fl 






n 




n 


n 


n 






n 


n 


n 






n 




1 


n 


n 


n 


1 




n 


1 


1 










1 


1 


n 1 n 


n 1 


1 




n 




n 




n 


n 


n 


1 






1 n 


n 


1 




11 




n 






1 






n ] 


a 


n n 










n 




n 


n 






n 




n n 


n 1 


n 




n 


n 




1 


n 



^ Here and in Section 4 we will follow the notations used in [9] 




Some Applications of Bounds for Designs to the Cryptography 



27 



n 


n n 


nn 


n 


n 






1 


n 




n 


n 




n 




1 n 


n 


n n 




1 n 


n n 


n 


n 


1 


n 


n 


n 1 




n 






n 


n n 


1 n 


n 


n 



2 Improvement of the Delsarte Bound for Orthogonal 
Arrays and Combinatorial Designs 



1 




n 




n 


n 


n n 1 








1 


n n 


n n 


n 


n 


n 1 


n 


1 n 1 


1 n 






n 




1 1 


11 n 


n 


n n 


11 n 


polynomial metric space 




n 


n 


n 




n 1 






1 n 1 


2 




— 


11 zonal spherical functions 


1 


n 1 


11 


antipodal 




n X — 


- 




n X 


n n y 


— 




X y 


X y 




X y - 






n 


n 


11 n 


n — 


n 






1 n n 


n n n 




n 


2 2 






2 


ELo * 




— n 


n 


11 


adjacent 


n 1 In 


1 a,b 

^ h 






a b 


n 1 






— — 


a,l 6,1 


n n c“’^ 


a.b 








1 




n k 






n 


i 2 


i 2+1 


2—1 


— 




-1 -1 




ri-irrii — i 

Ci n 


- 


■1 — 0 


- 


a 

n k 


,6 


1 n 1 


a,b 

k 


11 n 




n n 


a, 6 vA; a, 6 i 

k /L^i—0 k,i 


^iA—i 


a,b 


a ,b 

— 2 O', 6 


a.b 

a . . 






* 


i 


a ,b 4 

i * 


<^i,i 






1 n 




n n 




n n 


n n 


11 n 












Theorem 2.1. Let 


be an 


— 


-code (reps. 


-design) and let f 


he a real non-zero polynomial such that 






(Al) / - for - 


- - , (resp. (Bl) / - for - - - ), 


(A2) the coefficients 


in the ZSF expansion f 


2^2=0 • 


fi i satisfy fo , 


fi - for 




. (resp. 


(B2) the coefficients 


in the ZSF expansion 


f Eto 


fi i 


satisfy fo 


, fi - 


for 


■) 


Then, / 


fo 


n f ( resp. 


- — / 


fo)- 




n 


— ,T 




1 1 n 


1 


n n 


(Bl) n (B2) 


n 


- 


-12 / 


/ - 


- ,r“ 1 ^ 




28 Svetla Nikova and Ventsislav Nikov 



/ - -,r 11 -,r 1/2/ -n 

f - 



n 




n 






n 




n 1 




n 


n n n 




11 






n 




n 




n n 


11 




n n 


to 


-l+£ “ 






n 


1 n 


- 




n 


n 


n 




11 




2fe-l+£ — 






qT(m 


— 1 + £ 

^0 ^ 






1,1 




1,0 


1, 


,0 _ 


1,1 








k-1 




k 


k 




k 








0^0,0 


0,0 
^0 i 





n 






n 


n 




n 




1 n 1 




- 


s Y^fc-1 


l,e 1,£ 
i i 


l,e 

i 


2 


n f(r) 




0 1,0 2 
k 






1 n 










n 






n 


n 


1 n 1 




n 




11 


n 11 








1 


n 








n n n 




nn 


11 


n nl 


n 


n 


n 11 


n 




1 n 1 




n 




n 




n kn 


n 




n 1 


n 


n 


1 


n 




1 n 1 1 




1 


n n 




n 




n 


1 


n 






1 n n 




n 


1 


n 




















n 


11 n 1 


n 




n n 1 T- — 


/ 


/(i) 


1 


Y^fc+0 (r) 
Z^z=l i 


/ * 


i 






1,0 ( 
k ^ i 


•r) 




n 


n 


1 n 


n 11 1 






1 1 n 


1 




1 


n 




11 n 




n 


n n 


n 




n 


1 


n 














Theorem 2.2. 


[10,11] The bound 




— 


can be improved by a 


polynomial 



f — - ,T of degree at least , if and only if ^ — j for some 

— . Moreover, if ^ — j for some — , then — ean 

be improved by a polynomial in _ of degree . 



Theorem 2.3. [11] Let — be non-antipodal PMS. Then, any _ -extremal 
polynomial of degree ( ) has the form 



f 



(t) 



1-0 



1 , 1-0 

fe-1+0 



1 , 1-0 2 
fc +0 



where and are suitable constants. 

n 11 n 11 n 



1,1 

k t+2 

1 



1,1 

k 



1 1 1,1 
fc_l fc-lC ’ j._i 



„ 1,1 2 



1,1 1,1 

k — 1 k 



fc+1 k 



fc +1 — r +2 



1,1 1,1 

k k-1 fc-1 k 



2 



1.1 1,1 2 
k k-1 k-l k 



3 



fc+1 k 




Some Applications of Bounds for Designs to the Cryptography 



29 



fe +1 — t +2 



1,1 1,1 

k k—1 



k k—1 k 



1,1 1,1 2 

k fc-l k fc-1 



1,0 

fc+1 



t +2 



1,0 

fc+1 



1.0 _i,o 1,0 

k kt- k 



„ 1,0 2 1,0 1,0 

o k fe+1 



0,1 0,1 2 
fc + 1 fc 

To 1,0 2 

fc +1 fc 



^ ..0,1 0,1 n,l 0,1 2 

o fe+1 1- fe 



0,1 2 

fe +1 



0,1 

fc +1 



t +2 



1,0 1,0 

fe+1 fe k 



0,1 0,1 

fc +1 fc 

t;o 

fc+1 fc 



„ 0.1 2 0,1 0,1 

fe +1 fc 



0.1 2 
fc +1 



0,1 _ 

fe+1 T+2 



^ 0,1 CO ^ 1,0 ^ 0,1 



fc+1 fc k k 



k n n 



n n 



J7 

11 n n 1 1 



n 

n 



Lemma 2.1, [11] Let — be a non-antipodal PMS. Then the bound 
equal to 



IS 



1 2 2 






2 4 






2^5 



Corollary 2.4 [11] Let — be a non-antipodal PMS and let be an integer. 
Then 

a) - - - C /(-) 

b) — — 'if o^nd only if ^ — T -+2 



Theorem 2.5. [11] Let — be antipodal PMS. Then, any _ -extremal poly- 
nomial of degree ( ) has the form 

fir) e _ 1,9 1,9 1,9 2 

J 1 fe-1 2 k fe+1 

where , i and 2 are suitable constants. 



Corollary 2.6 [11] Let — be an antipodal PMS and let be an integer. Then 

- - - n 



n 

n 1 



n,v 

fc 



n 

nl n 



n 






n 

V 

n 



n 1 

kin 1 




30 



Svetla Nikova and Ventsislav Nikov 



11 n 



Theorem 2.7. [5] Let be an -eode (reps, -design) and let 



f Etof- 



i—0 J ^ i 



be a real non-zero polynomial sueh that 



(Cl) / , / - for 

(resp. (Dl) / , f - 

(C2) /o , - for 

(resp. (D2) /o , fi - for 



for 



), 



■) 



Then, 



Q f ( resp. 



n Al 

n (Cl), (C2)- * 

n n (Dl), (D2) - n ** 

n n n Dl D2 n 



xfi f ), where L2 f f /q. 

n 



-T2 f In 1 / 

x^2 f In 1 / 



x—Q f 



In 1 / 



/ 



Theorem 2.8. [2,5] For any integers , , 

A* * — 

■^V V 

11 n 11 kn n n 

1 11 - ” 



In n 1 

Singleton bound 



n — d-\-l 

n nl 

Rao n Hamming 



n 1 



1 1 



11 tight n n perfect 

n 1 n n 



Levenshtein 



1 n 



V 

n n 

n n n 

n 



Theorem 2.9. [12] For any code — 



n 




Some Applications of Bounds for Designs to the Cryptography 



31 



n 

1 



1 n 



n n 
1 - 
n 1 n 

kn 



n 

w 

n 

I n^w 

‘ k 

n 1 



11 



n 
n 1 
n 



n 



Theorem 2.10. [12] For any design — 



n 



1 



3 Resilient and Correlation-Immune Functions 

n nn nnn nln nnn 

1 n n n n n 1 

Theorem 3.1. [1] A function f " — ^ is correlation-immune of order t 

if and only if ” is partitioned into orthogonal arrays A\ 



Theorem 3.2. [1] A function f " — f is resilient of order if and only 
'i'f V ^s partitioned into ^ orthogonal arrays A^n-T-t 



onal arrays A\ 

11 1 



n n 

n — t 



n 1 large set of orthog- 
1 Aa 



Corollary 3.3 [1] There exists a funetion f 
order if and only if there exists an t t 



that is resilient of 



n n 
n 



n In 

In n n 



nnn 



n n n 
n n 



n 

n 



a: 

1 n 



n 

n 1 



n 

n n 



n 

n 

n n 
n 

n n 



n 1 

n n 

1 n 



Theorem 3.4, Suppose there exists an correlation-immune function of order . 
Then — 



Theorem 3.5. Suppose there exists a 



-resilient function. Then 



V V 





4 Designs in Product Association Schemes. Maximum 
Independent Resilient System of Functions 



— 




11 


poset 


n 


n 


0 t 






— — n -X - 


- -y - 


X - y — 


i 


n 


d 


11 


poset t-design 


n — — 


- - 


1 


A 

1 *^2 


i 1 




n 


n 


Ai 


direct product 






n 


A 


1 Ai 


0 


m Am 


n 


1 


- - n .4 




i Ai 


- ■ 


- - 






1 n k 










n n 




i Ai n 




-i -i n 




1 


— “ n 




n - i A 


n n 




i 


— 


n 


n n 


n C 


A 






1 n 


1 


n 


i Ai 






-A 




n 


n 


1 

1 

1 

W 


• 






E,- 


i A 


i Ei — 


_ C 


-C 1 


4 


i 



Theorem 4.1. [9] Let A be the product of -polynomial association schem- 
es i Ai — — . Let — be a downset in C and let — be a Delsarte 

— ~-design. Consider the matrices satisfying the conditions 



(i) is non-negative matrix; 

(ii) Pj_- for_-~; 

(iii) Po 

Then, the lower bound on the size of a —-design is o- 



Theorem 4.2. (Delsarte bound J/P/ Let A be the product of -polynomi- 
al association schemes i Ai — — . Let — be a downset in C and let 

— be a Delsarte —^-design. If C satisfies — — — C — — , then 

— /j- 




Some Applications of Bounds for Designs to the Cryptography 



33 



1 



—Mixed-level orthogonal arrays A 
Inn k n n 

n 1 1 — 0 

—Mixed t- designs 

1 — “ n 

— Fused orthogonal array design 

0 

— Split orthogonal arrays A\ 
n 1 Ax 

n n — n n 

n n 1 n n 

n 1 1 n 11 1 

n In — n n 



strength 
1 n 1 — “ ] 

mm i 

n n 110 2 2 

— 1 2 1 2 — — 

n n n 



t+T ^ 

1 n n n 
1 



1 n 



q 

1 0 



— — 12 — 1—1 — 2—2 — 

In nn In 11 nl/ 

E N N.V 1 ^ 1 

1=1 11 In 1 

n / 



E n r n,v 
i -1 i 



n 



n n (Dl) n fi j - - - 

Theorem 4.3. [6] If is split orthogonal array then 



n 



X 



•k 

V 



11 n n 



n n 



n 



N 



V 



n 



n 



Theorem 4.4. If is split orthogonal array then 



X 



N 



V 



N 



V 



n n n 1 t, 11 -wise independent 



-resilient 


n 


n n 






1 n 




1 


n 


n 








n 


n n 


1 n 


nn 


n 


n 






n 


n 1 




n 


n n 







Theorem 4.5. [6]The existence of -wise independent 
equivalent to that of split orthogonal array A\ 



-resilient system is 
with n-t-T 



Corollary 4.6 We derive the inequality 

n_ n N 

V V 

n 1 n 

n n n n 



N 



V 



n 11 

n 




34 



Svetla Nikova and Ventsislav Nikov 



References 

1. J.Bierbrauer, K.Gopalakrishnan, D.R. Stinson, Orthogonal arrays, resilient func- 
tions, error correcting codes and linear programming bounds, SIAM J. Discrete 
Math. 9, 1996, 424-452. 

2. J.Bierbrauer, K.Gopalakrishnan, D.R. Stinson, A note on the duality of linear pro- 
gramming bounds for orthogonal arrays and codes. Bulletin of the ICA 22, 1998, 
17-24. 

3. P.Delsarte, An Algebraic Approach to Association Schemes in Goding Theory, 
Philips Research Reports SuppL, 10, 1973. 

4. J. Friedman, On the bit extraction problem. Proc. 33rd IEEE Symp. on Foundations 
of Computer Science, 1992, 314-319. 

5. V.I.Levenshtein, Krawtchouk polynomials and universal bounds for codes and de- 
signs in Hamming spaces, IEEE Trans. Inf. Theory 41, 5, 1995, 1303-1321. 

6. V.I.Levenshtein, Split orthogonal arrays and maximum independent resilient sys- 
tems of functions. Designs, Codes and Cryptography 12, 1997, 131-160. 

7. V.I.Levenshtein, Universal bounds for codes and designs, Chapter 6 in Handbook 
of Coding Theory, V. Bless and W.C. Huffman, 1998 Elsevier Science B.V., 449-648. 

8. W.J. Martin, Mixed block designs, J.Combin. Designs 6, 2, 1998, 151-163. 

9. W.J. Martin, Designs in product association schemes Designs, Codes and Cryptog- 
raphy 16, 3, 1999, 271-289. 

10. S.I. Nikova, Bounds for designs in infinite polynomial metric spaces, Ph.D. Thesis, 
Eindhoven University of Technology, 1998. 

11. S.I. Nikova, V.S. Nikov, Improvement of the Delsarte bound for r-designs when it 
is not the best bound possible, submitted in Designs Codes and Cryptography. 

12. S.I. Nikova, V.S. Nikov, Improvement of the Delsarte bound for r-designs in finite 
polynomial metric space, to be published. 

13. N.J.A. Sloane, J.Stufken, A linear programming bound for orthogonal arrays with 
mixed levels, J. Stat. Plan. Inf 56, 1996, 295-306. 

14. D.R. Stinson, Resilient functions and large sets of orthogonal arrays, Congressus 
Numer. 92, 1993, 105-110. 

15. F.J.MacWilliams, N.J.A. Sloane, The Theory of Error-Correcting Codes, North 
Holland, Amsterdam, 1977. 




Further Results on the Relation Between 
Nonlinearity and Resiliency for 
Boolean Functions 



n 1 n 



n n 



Dept, of Information Technology 
Lund University, P.O. Box 118, 221 00 Lund, Sweden 
{thomas, enesjOit . 1th. se 



Abstract. A good design of a Boolean function used in a stream cipher 
requires that the function satisfies certain criteria in order to resist dif- 
ferent attacks. In this paper we study the tradeoff between two such cri- 
teria, the nonlinearity and the resiliency. The results are twofold. Firstly, 
we establish the maximum nonlinearity for a fixed resiliency in certain 
cases. Secondly, we present a simple search algorithm for finding Boolean 
functions with good nonlinearity and some fixed resiliency. 



1 Introduction 



1 n n n n n n 





n 




n 


n 


k 




w 










w 


n 


w 




n nl n n 






1 n 






1 


n 


n 


n 




resiliency 


n n 








n 




1 






n 


n 


n k 


w k 


n 






n 


1 n 


w 


n 


nn n 




11 


n 1 










1 1 








1 




1 n 


k nonlinearity 






1 n 


n 


n 




n 




n 


n n 




n 


n 


n 


w n 


w 


n 






11 


n 


1 n 




n 


n 










n 




1 


n n n 1 


n n n 


n 




1 


n 








1 




n 


k 


1 




kn wn 
















1 n 


w 1 


1 




1 


n 


n 


n n 


n 




1 


w 


1 


n nl n 








1 


n n 




n 








1 n 


n w 11 1 








n 


n 


1 






n 




n n 


n nl n 








1 n 


n 


n 


n n 






1 w 


kn wn 








1 


n 


n 


n 


n 






n 1 n n 


n n n 


n 




1 




wn 










n 


nl n 


n n — In 


n 


n 


n n 




1 


n — 


2 






1 


1 


1 n 


n 


n 


w 








1 


n 




n 




n 




1 




n 




n 










1 


w k w 




n 


n 




n 







n n n Innnw 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 35-44, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




36 


Enes Pasalic and Thomas Johansson 














n 




1 


1 




n n 1 


n 


n 


n 


w 


n 


nl n 




n 






1 n 






1 








1 


n 


n 


n 






w 1 






n 








1 




1 n 




n n 


n nl 


n 




n 


n 










n 




11 w 


n 








n 


n 


n 


fl 






n 


kn wl 


n 


n 


nl n 




1 


n 


n 


n 




1 




n 1 


n n 








w n 




n 




n 


n 




11 w 


n n 


w 




1 


n 


n 








n nl n 




n 


n 








1 n 


n 




1 n 




n 




n 






1 




1 






n n 




1 n nl n 




1 n 


Inn 


n 


n 








1 n 


n 


n 


1 n 




n w 


n 


1 










n 


n 


n 


1 


n 

















2 


Preliminaries 










1 




w w 11 nl 




1 


n n 


n n 


n 




1 n 


1 


n n n nl n 


n n 


n w 




1 


n 


1 n 


In k 




n 


n 




n 




1 n 


n n J 


’ X IB2 ^ F2 


k 




n 


n 


n 










n n f X 


n w 


n n 1 n 


1 








f Xx , . . . , Xfi 


qq aiXi 


f^nXji 












ai 2 XiX 2 013X1X3 012 77 , 3 ^ 13^2 


Xn • 


w 




n n 


1 1 n 


n F2 truth table 


n n f X 


n 




n 


/ 


n 


n n 




n 




n n 


/ 


fofl /2"-l ^ W 


F2 


algebraic 


degree 


f X n 


deg f 


n 




n 


n 


















n n 


Inn 


n / X 1 11 


n 


n 






n 




1 n 


k 


n k 






n 1 1 


n k 


n 1 k 


1 n 


n 




k 




1 


n / 


X 1 


1 11 






In n 


n nl n 


1 


n 


1 n 




n n 


n 


n 




1 






n w 


n n n w 










1 n 


n n 












1 


n 


1 n n 


n f X 


n 






1 1 n 


n F uj 


I? 


n 










F LJ 
















X 








Further Results on the Relation Between Nonlinearity and Resiliency 



37 



w dot product 



1 



X n oj n 

n 



X to XiUJi 

n n n 






w F 



1 n 



1 



F A f, 



X n CO 



n n 

1 



A 



n n 



In n n / X balanced P f x 



In 1 n 
n / X balanced iff F 0 

n nonlinearity 
n n n 

f ^ 9 
n n n n 

/ n g 

1 n 1 



1 

2—1 



P f X 
1 n n 



Inn n / X n Nj 

n n n Nf dn f, g 

1 / X n g X An n 

\ n dn f,g n n w n w 

n n w / n gi 

n nl n / x n n 



n 

1 n nl n 
1 n 

1 w 



Nf ’ 

n nl n 
F Fn 



NL Fn 



F ui , w 

n 1 1 1 n 

11 Inn nnn 1 

1 1 n n n / X Fn n 

n kn wl NL Fn 



n nl n 



— n n NL Fn 

funetions n w n n n n 

— n NL Fn kn wn w n n , , n 

NL Fn n kn wn 



bent 



1 n 







w 




1 


balanced 


1 


n 


n 


n 


1 


n nl 


n 


w 11 


w 


n n 


n 


n 




kn 


wn 




n 




kn wn 




















n 11 


1 n 


n 


n / xi 


, . . . , Xn 






m 




correla- 


tion 


immune m 




n rn 


1 n 


n 


n 


n 


11 




n 


n 1 






1 




















, z 


ii 


< 12 


< 


<C itji n, 




w 




f Xi,X2,. 


.. 


n n 


I X Z 


n 






1 n 


n 






n n 




1 


n 


n 




n 




m n 






1 n 


Xi,X2,., 






11 


n 


n n 


Z 


/ ^1,^2: 


)■■■■> ^72 


m 




1 n 




n 


n 


n w 


1 


n 




11 n rn 




resilient rn 1 


n 


n 


n 


n 


1 






n / 


X 


m 1 


n iff F UJ 




n 








UJ 


m w u) 


n 


w 


UJ 














38 



Enes Pasalic and Thomas Johansson 



f X n 
n 1 



n n n 

n 1 In 

In k n 
1 n 



In n n / X 



w n 1 

n In 

In k n w 11 1 

1 f X In 

n — m In 

n n n 

n n 1 n n n 1 

w n 11 1 n nl n 

fl n 

I n n n n Nj — 

II n n 



nn 



1 n 
n n 1 



1 k n k n 



n In 

n n 
n n 
1 n nl n 
n 

kn wn n nl n 
n nl n 
1 w li k 



1 k 

m Inn 

/ 3 : 

In In 

In n n 
n 11 
k 

l\ n 



n — l 



f X n deg f n — li — 

n n n n 1 



IH 




m 


IB 


B 


B 


O 


o 


m 


IQI 


m 






Qg 


gg 


Eg] 


IDI 


m 






Qg 


gg 


Eg] 


IBI 


IB 






gg 


gg 


Eg] 


IBI 


IB 


m 


Eg 






Eg] 


IDI 


IB 


B 






gg 


EEg 


IDI 


IB 


B 


B 




gg 


EEg 


IDI 


IB 


B 


B 


o 







Table 1. nl n Nf n 



n n 



3 Determining the Maximum Nonlinearity for Fixed 
Resiliency in Certain Cases 

n nw In n 1 nn 

Innn In nl 1 n 

n standard form 



n 



n 



n 



1 



11 



Further Results on the Relation Between Nonlinearity and Resiliency 



39 









n 


n z n 




1 n 


n 


n A n 


n 


n 


n 






1 


n 


w 


n 






















min 


(max) z 


c^x, 






















Ax 


b, 




X 0. 














n 


n 1 


n 




n 




1 




n 




n 


n 




1 


11 




n 


n 








1 








nl 1 


n 


n 


branch and bound 1 












1 


n n 


1 


n n 


n/ 


X ml 


n n 




n 


n nl 


n 








1 n F 


UJ 


n 


11 w n 
















F 0 


n—1 

1 


1 n 


n 


5 
















F tu 


) 


Lu m 


, m In, 
















F iu 


n—1 


Nf, uj 


0, 


n nl n 








w 


1 




n 


n 


n 


n 




n n 


n 


1 


n 










1 


1 n 




n n m 


1 n 


n 


n 


w 


n 


nl 


n 


Nf 


11 






w 1 


1 


w 




w 








n n 


n 


n 




n w 










1 


n 


n 


n n 


1 


n 


W 


n nl n Nf 









n n n n 

^( 00000 )/ 

^( 00001 )/ 



w n 

n n n 



1 



1 



n 



^( 10000 )/ 

A^f 

A^f 

w 

1 



OJ 

OJ 



1 



n 



n n 



1 



n 

n 



n 



n 



11 32 

1 



1 1 

Nf 



n 



A 



n n n 1 n 



1 1 



n 



1 n n 
n nl n 
1 n 

n 1 

n n n n 1 k 1 

1 n nn n 1 

1 In In 

n n 1 w n 

111 n 



n n do not exist 1 n 

n In n n n 1 

In n 

1 1 n 

1 n n 

w n 11 n n 

w k n 1 1 



n Inn 
n 

win 1 



n 



n 1 



In n n w n n 




40 



Enes Pasalic and Thomas Johansson 





Resiliency 


n 


0 


1 


2 


3 


4 


5 


5 


12 


12 


8 


0 


0 


0 


6 


26 


24 


24 


16 


0 


0 


7 


* 


* 


* 


* 


* 


0 



Table 2. 



Nf n In 



Theorem 1. The maximum nonlinearity for a 1-resilient Boolean funetion on 
n variables is 



n 






11 






n 


w 


n 






1 




n 


n 


n 








n 










1 


1 


n nl n 






m 1 


n 


n 


n 


w 


n m 




n 


n 


n 


1 










n 


n 




n 


w 




n 11 


n 


n w 


n nl 


n 






w 


n n 




n n 


w 


w 


1 


n 






1 


n n 


1 


n 


1 






w 


n 


1 


n 




1 




11 w 


n 


n 




w 




n 


n 







n n 



Conjecture 1 The maximum nonlinearity for a 1-resilient Boolean function 
f X on n variables is given by 

n even 
, n odd. 

n 11 w n 1 11 w n 



Nf 



n—1 

n—1 



Theorem 2. The maximum nonlinearity for an n— -resilient Boolean func- 
tion f X on n variables is given by 



Nf 



Proof. k 1 

n — In n 1 
n w n f X 

kn n f X n Inl n 

n f X 1 In 

n n 1 



n 1 w kn w f x 

f X n— n— — 

1 1 1 
n n n 1 

n Inl 



n n 

n nl n 

n 11 n 

n nl n n n — 



^ ^ XjX.i^.\-i X2v+1- 



i=l 

71—2 

n n n n 

n n n 

1 kn 1 Ik 1 

In n n 



1 1 





Further Results on the Relation Between Nonlinearity and Resiliency 41 



4 A Novel Search Algorithm 



n 


n w 




n n 


1 1 






n 


n 1 


n nl 


n 




1 n 


1 


n 


n n 










1 








1 






n 








1 


n n n 


w 






1 






n n n w 




1 




n 


n 












F u> 


E - - 


UJ X 






















X 
















/ a; 


— 


/( 


n 


n 




n 






n 


1 


w 


n n 






F 


Af w F n 


f 




1 


n 






^ w 


1 A 




1 






n 






n 


1 


w 


11/ 


1 






1 






















n 


n 


An/ k 




1 




n 




n 




1 n 






1 : 


n n n / X 


balanced 


iff F 






n nl n / 


X 




n w 


n 




















Nf 


^ - F uj , 


U) 






















UJ 
















n n 


m 


1 n 


n 






















F u! , m. 














n w fl 










n 


n 


f ■ 


X n 


n 




n 


n 


nl 


n 








n 




w 






1 


1 n 


F 






f n F n 






1 




1 


n 


1 


n 






1 


k n 


n 


/ 




n 1 


n 




n 








n 


n w 




1 




n 
















/ f f\ 














w 


fk n 






w 


11 


n 


k th 


n fk 








1 n n 




k th n 


n / w 11 n 




n 




n F 


n 


n 


1 






n 


w 


1 


n 


F 




n 












F 


Af 


Af Af F 


A.kfk 










w 


A.k n 






k th 1 


n A 
















n w 






m 


n F 








1 1 


n 


F 


n 


Fmax 






Fm 


Fmax 1 1 


2n 


Fl 




n c 






1 n 


^ W 


n 


Cj 


, W Cj 




n 




fj Fmax 






w 


n 




1 n 


W Cj 
















n n 




s 


n 


f n 1 


n 




s 


n 






Cs 


n fl 




n 1 


n n / w 








Fm 





n F \ Fm 



n n n 



n 



n 




42 



Enes Pasalic and Thomas Johansson 



n w n 1 n n / 

n n F W 1 Fmax - w 11 
n w 11 n n 



n Fm n n 
1 Fm. w 



n n w 



1 n 1 

n 11 cycle 



11 n n Fjnax 1 n 

1 n 

1 1 I 

n 1 n n w n n n 

n w n f X 

1 n 



n 1 n 



n n ,s 



In n n / X 



n n F Fi^ Fi^ 



F- F- F- 11 

In s n / X 

k n nl n 



V W V 

w n s 



n w / X 



1 n 



n n n 

nnnllnln n 

1 n n 1 n F 11 w 

n In n n 

f X nnln nnnlF^ F uq 

u>o OnlF^ n/x f x x coq n nwn nnlF^ 
T In n n nl n n 1 /x 

n nl n n 1 n n 

nn/x f X nln 11 n nn 

1 n w 



F 0 E - E- f{x) _ ioo X p 



wn w n In nnwnwn w 

n 1 n n n / x 1 n n n 

2 w n 1 u> F io ,oj IF^ 

B n n m,m n w w Inin nn 

ppo 

1 m n n Iw 1 

nnln n n C In 

nn/xn In nFw uj 

n w n 11 n n n w cu 

nln n n 

m n n C n w n n/xi,...x„ w 1 

n n w n n 



n n w io 



f X f C X . 




Further Results on the Relation Between Nonlinearity and Resiliency 43 







/ 


X 




1 


n 


n 


n 










F 


UJ 


E- 


_ f(Cx 


0 _ 


U! 


X 


E- 


fiF _ 


UJ B 


X 


tu 








X 










X 












n 


1 




w w 11 


n 






W 


FRO n 


n 


n n n 


n 




w n 




W 


n 




n 




n 


















1 




1 


W 


1 






1 n 




n n 


n 




n 


n 








n 


n 


nl n 


w 


w 






n n 


1 n 








1 




n 


n 


n 


n f X 


n 




1 n 




n 




k 




n 


n 


w 1 


n nl 


n 


n 




n 


w 


n 


















n 






1 








n 


n 


n 


w 






n 




n 




n 




n 


1 




n 




1 




1 


11 




n 




n 






n 




n 1 








Table 3. Nf n, Cl n n 



n nl n n n n n 

Inin n 

n nwn k Innn 

11 nn w 1 nln nwwk 1 

nnwl k 11 Innnn 

1 n 1 n 1 n 1 

n 1 n n n n 

n n nl n n 1 n 11 kn wn n n w 

1 1 



5 Conclusion 



1 1 n n nl n 

n n 11 1 

11 n 1 In 



In Inn n 
nl n 1 

n 1 





44 



Enes Pasalic and Thomas Johansson 



n n 

1 

n n w w 

1 n m 



n w 1 

n n n n 

1 n 

In n n 



w n 

1 n nl n In 

1 n 

n n 1 



References 

1. P. Camion, C. Carlet, P. Charpin and N. Sendrier, “On Correlation- Immune func- 
tions”, Advances in Cryptology - CRYPTO’91, Lecture Notes in Computer Science, 
1233, pp. 422-433, Springer- Verlag, 1997. 

2. S. Chee, S. Lee, D. Lee, S. H. Sung, “On the correlation immune functions and 
their nonlinearity”. Advances in Cryptology - ASIACRYPT ’96, Lecture Notes in 
Computer Science, 1163, pp. 232-243, Springer- Verlag, 1996. 

3. L. E. Dickson (1900), Linear Groups with an Exposition of the Galois Field Theory, 
Teubner, Leipzig 1900; Dover, New York, 1958. 

4. E. Filiol and C. Fontaine, “Highly Nonlinear Balanced Boolean Functions with a 
Good Correlation- Immunity” Advances in Cryptology - EUROCRYPT’98, Lecture 
Notes in Computer Science, 1403, pp. 475-488, Springer- Verlag, 1998. 

5. R. Gallager, Information theory and reliable communication, 1968. 

6. X. D. Hon, “On the Norm and Covering Radius of the First-Order Reed-Muller 
Codes”. IEEE Transactions on Information Theory, 43(3), pp. 1025-1027, 1997. 

7. B. Kolman and R. E. Beck, Elemental^ Linear Programming with Applications, 
Academic Press, 1995. 

8. S. Maitra and P. Sarkar, “Highly Nonlinear Resilient Functions Optimizing Siegen- 
thaler’s Inequality” Advances in Cryptology - CRYPTO’99, Lecture Notes in Com- 
puter Science, 1666, pp. 198-215, Springer- Verlag, 1999. 

9. W. Meier, and O. Staffelbach, “ Fast correlation attacks on certain stream ciphers”. 
Advances in Cryptology-EUROCRYPT’88, Lecture Notes in Computer Science, 330, 
pp. 301-314, Springer- Verlag, 1988. 

10. A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography, 
CRC Press, 1997. 

11. W. Millan, A. Clark and E. Dawson, “Heuristic design of cryptographically strong 
balanced Boolean functions” Advances in Cryptology-EUROCRYPT’98, Lecture 
Notes in Computer Science , 1403, pp. 489-499, Springer- Verlag, 1998. 

12. W. Millan, A. Clark and E. Dawson, “An effective genetic algorithm for finding 
highly nonlinear Boolean functions”, In First International Conference on Infor- 
mation and Communications Security , Lecture Notes in Computer Science, 1334, 
pp. 149-158, 1997. 

13. T. Siegenthaler, “ Decrypting a class of stream ciphers using ciphertext only”. 
IEEE Trans. Comput., vol. C-34, pp. 81-85, 1985. 

14. T. Siegenthaler, “Correlation immunity of nonlinear combining functions for cryp- 
tographic applications” , IEEE Transactions on Information Theory, vol. IT-30, pp. 
776-780, 1984. 




Combinatorial Structure of Finite Fields with 
Two Dimensional Modulo Metrics* 

g tz-oo^ -o^g og- 

o g - t ^ 

^ i i n n 

ni i i i 00 in 

edgar . martinezQieee . org 
^ ni i n in 

ni i i i 00 in 

j aviOt ita . emp . uva . es 

^ n i ini 

ni i in n i 0 00 

{mborges,mijail}Qcsd.uo . edu. cu 



Abstract. 

i 

nn i 



1 

n i 
i i n 



n 1 n 
i 

n 



n 

i 



n 
i n 



1 1 n 
i 



1 

i n 



1 Introduction 



t 




t 0 




% 


0 




t 


0 t 




t g 




t 


0 


t g 




t 


0 


0 


0 


0 t 


0 


t 




0 


t 


0 


t 






t 


to 0 


t g 


0 




gt 0 y 




0 t 


1 1 


1 1 


y 0 


to 


0 


t 




t 


0 


t 0 


g 




0 


0 t 


0 t 


t 0 


0 t 








0 


0 


t 






t 







1.1 Gaussian and Einsestein-Jacobi Numbers 



t 



o g z t o o 

algebraic integer t oot o 



t g y g 

o o y o o 



i n i 
i -0 1 



n 



n 



n 
n i 



n 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 45-55, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




n - 



0 




t 


t 0 


t g 


0 


t 0 


0 






0 


g 


t g 




t 


oot 


0 t 


to 2 




0 


2 






0 










t 


0 Gaussian integers 




t 


0 


0 






0 






g 


y t 


t g 










t 


y 




t t g 








- 




oot 


0 2 


- 




- 


2 _ 2 


0 


t 0 


Einsestein- 


■Jacobi integers 


1 


; t 




t 0 


t 


0 




g 


y 


- 


- 


3 


g 


t 


y 






t 


t g 




- 






t 


oot 0 t 


t 0 


2 _ 


- 






2 _ 


2 


0 






0 


- 


1 


ot 


t 


0 g 


t 


y 








0 0 




t 




t 






t 


t 




t 


t t t 




t 0 




— 


- - 


t 


t 0 




— 


- 


- 




- 


ot 






to z 


t 0 


0 


y t 


t t 


0 








0 t 


t 


y 


t 


0 


t 


y 0 


t y 




0 


0 








0 


t 


0 






0 




to t 




t 













1.2 Embedding Finite Fields in 

Case A: Gaussian Integers t 

t g 0—0 

t o t t tt 

2 2 - 

ot y ^ t to 

O to O t 

t to 



o 

t ot t 

p 

g y t to k g t 

t t to t to 

TT g y 

o — 



1-dim Metrics 

too 

t k o t t o 

ot 

t g 0 0 t o - 

g to ^ t t t 

o ot t 

t g t o t 
to -0 — — c 

o t t t 0 0 



3 



o TT tty tt^ot- 

tgoogto- o g otto 

Remark 1 In the case — 3 o and the isomorphism above does 

not apport any relevant information over . For this type of primes — is 

a quadratic non residue of , hence we get the following isomorphism between 
^ and p where : 

p — — — 0 } 



constructing 



2 



with the irreducible polynomial 



2 




in 



1 



ini 



1 



Case B: Einsestein-Jacobi Integers t 

to ot y — t o 

t-o tg yt zot 

— 0 0 ^ o — o 



t 



o g ot t t t 



too gtot ot 
t t o 



1.3 Metrics over ZZ\S^ j -r ZZ\S\ 

0 0 0 ot t ( 

t g ot t t t 
y - 3 o 



t o 
go 



t o 



Mannheim Metric 

g t o 7 



t 

t — 
t 
t 

t t 



-o t 
t t 



t - ^ t7 - 

m 7 — 7 - — ^ - 

M M 7 ot 

g t t t 

O t t 0 0 

o 

o o 
o t y 



t o o t 

t t ™ t - 

g t o 7 - 

t t o 07 

o t to 

t g t O X 



n— 1 

MX M j 

J-0 



t 



o 



t 

t o 



t to ot 
t 0 0 

2 "^ t - 3 o 
g t g t 

to X 0 n- 



g 



y M X y 



M X - y 



Hexagonal Metric 

o t-o 



O 2m o — 
t to 



— O 0 to 7 

O O 



to O 
7 t t 

t o to 
o 



t hexagonal weight 

o t t t t 
o z ™ o — o 
t g t t to 



2 Association Schemes 



2.1 Transitive Actions 



t o o g o 

t go t t o 
g o Q o to tt 

0 - — - 0 - oot 



y - G - 



o ot t o o 
o t to o g 

ot t o to 
t to 



to t o t o t 



t o 



t t o go 
t t o 
t — 



o t 

ot t t 



ot 




n 



y Qx — — Q — — t kot to t ot 

t z g y 



Q - Q Q. 

— Qx 



t 


— c 


* 

7T 


t 


go g 


t 




y 






t 


g 


0 


rotations 


y 




7T 


t to 


y 




t 




-- 




0 


t y 


0 t 


0 


t 


t 




0 t 




t 


t g 


0 


0 


t 


t 


; 0 


^ 0 


t g 




7T 


* 


0 t 






t 0 




t 0 


ot 


g 0 


- - 




0 g 


y 


k 


g 0 




ot 


y - t 






t t 0 g 


0 


0 


^ g 


t 


y t 




t t 0 


- 




t 


t 




t 0 




-s 


0 


0 


n t 




t 


t 0 g 0 0 




t 


. 0 




t 






t 


t 


0 


t 


n 




t t 0 g ( 


0 


0 


t t 




n 

7T 




y 






— 


n 


n 


n h 


Ai - 


n 


n 










t t 


t 


t 0 




h h 


hh^ 






hh^ 


3 


hjh 


L cr(i) 


— 


~ n t 


t 


t 


y 0 


n 

7t 




y 


t 


y 




0 


h 


- 


n 


X ■ 


- 


n 

7T 


t 


























h 


X 


X 


i 


hi 


a-i(i) 














t 0 


y 






t 


g t 




t 0 




t 






t 


fl 


g 


0 


0 


t 


0 g to t 




0 


t y hj 




y 


t 


t 




0 t 


yo t 


0 


























0 0 


g 






0 


0 t 




0 t 






t 




t 0 


0 t 


t 


0 


t — 


n 






t t 0 g 


0 


0 




t 


t 


to t 


; t 


oot 


g 


0 


„ 0 t t 


; 0 




0 


0 


t 


0 - 


- 


t g 



o 



Lemma 1 (Lehmann’s Lemma) Let n, — as above, then „ acts on the set 
" m the following way: 



j CT-l(j) 



and the mapping: 



n 

n 

is a bijection, where — " zs given by j — hi . 

2.2 Preliminaries on Association Schemes 

oot too oto g y 

to 











in 


1 




ini 


1 






Definition 1 


An association scheme with 


classes is 


a pair — 







d 

i 2=0 


of a 


finite set 


and a set of relations — i 


-1=0 on 


satisfying the following 


rulet 




















1. 


0 — 


— — — (the diagonal relation) 












2. - 


- i-f=o 


•• a partition on 


- . 














3. - 


0 


0 


-s.t. j 


j, where 


t _ 

i 


- 




2 


4- For each election of — 


-0 — the number. 


. k 

■ ij 


— 


— 


— 




i 


— j — is constant for all 


- ; 


k 












t t 0 0 


t 0 


t 




t 0 


t 




y 


0 


t 


to t 


0 0 


— 


-g 


y 












i i 


0 x,y V 


i 




0 






i 




0 0 


to — 0 




t to 












r. 


0 (identity matrix) 


















, where is the matrix where all entries are . 








3\ - 


0 


0 


— such that 


t 


3 










r- 


i ~ 3 


o 

II 

W 


















t 0 


t — ■— 

^ * i=0 


t g 


t g 


t 0 






g 


B 


0 


1 


0 - g 


t 




t 


t 


y 


- 


t 


y 0 t 


;o B 


0 




t 




0 




t t 


t 


t t 


i j j i 


0 t 


g 




0 t t 




t 




t 


g 


go z 


t 




t 


0 t 






ot t 


— 0 


1 


1 d~ i 


t 0 


t 




t 


0 




g 0 




t 


0—0 1 


d-to t 


t 0 




ot t 






t 


t 


0 t 


g tot 


0 to 






_ - 


-1 




- 


0 


g t 


y t t t 




y 


t 


t 

i 


i 






t 


i 


y t t 


t 0 t 




t 


t 








2.3 


Constructing the Mannheim Scheme 












t 


t 0 


0 t t 


0 to 






0 t 


to 






t 


0 


^ " 0 0 
TT 


t 0 


0 






y t 


t 


y - 


t 


0 


t t 0 t 0 


0 


t 


t 


ky 


t 




t 




t 


0 


0 t to 


t 




0 t 










t t 


t to 0 


-0 


—to t 




0 g t 


t 


g 




t t 


k — 




















0 t 


0 0 0 


0 t to 


0 




go 0 t 










0 0 t t 


0 


0 0 






t 


t 






go 0 


0 t 0 


t t t 


t t 




t y 


0 




t 




t 0 


0 — 


t to 


t 0 




t 0 






ky 


t 


0 


t 0 


y t k 


0 


t 


0 to 


0 


-0 


t 0 


t 


t 


t t 0 go 


















0 



n 



O t O 



t t 



t o t o t to 



y t t t 
o t o o t 

o 

t to ^ - 

7 T 

o t 



t o 



t 



t o 



t t o t 



o t 
t 



k y t 

y o 



g y 

— k — 



k 



t k 
t t o go 
t t 



totot o to — t t 

tko to ttott Otko 



t ot o oto — 0 — 0 — ■ 



t 

o t 



ttot o gO o o 



0 — t 

o g g to t 



o o t 



o g t 



tt 

k 0 k 

t k- g 



Example 1 We recall the example in [8]. Consider 3 represented as 

3+2i- have a pictorial representation of it as in figure 1. 





Fig. 1. 



3 + 2 i 



3+4p 



Clearly the orbits are given by: 

0 — 0 0 — 1 — —0 — 2 — —0 — 3 — 0 3— 

And using the definition in (13) above the relations are given by: 

0 000000000000 1 0 000 00 000 

2 0000 0 0 000 3 00 000000 0 

Note that each matrix is represented only by its first row since they are cir- 
culant, and hence their eigenvalues are calculated easily ( see [3]), and they are: 




in 



1 



1 



Matrix 


Eigenvalues. 




Eigenvalues 


Multiplicity 


0 


1 


13 


1 


4 


1 


2 


a 


4 


3 


b 


4 




c 


4 



where: 



E n 

i Go Pi 

E n 

i Go P2 

E n 

i Go P3 



27ri 

13 ■ 



2.4 Hexagonal Schemes 



t 



t k o 
o to 



tt otto t o to 

t hexagonal scheme 



Example 2 Let us represent 3 as 3 + 4 p- have a pictorial repre- 
sentation of it as in figure 1. the orbits are given by: 



0 — 0 



- 0 - 



0 



0 



0 ■ 



the relations are: 

0 000000000000 , 1 0 0 

2 0 0 0 0 0 0 0 



Matrix 


Eigenvalues. 




Eigenvalues 


Multiplicity 


0 


1 


13 


1 


4 


1 


2 


a 


12 



where: 



0 0 0 0 



( E” 



Go Pi 



27ri 

13 



3 Patterns 



to 

o 



D 



g t O t O O 



t too o 

0 0 o to o k o 

oy tt otot t t 

t o otto tEgoo 

t r o r g ot tt 

to t o t g g 

ogto o t toT — 



r 

rir - rr r rr r- r 

to r t g o y 

r* tor r„ 



r* 



-r - r- 



tt 



o to 
t o - 
t o 
t t o 
t 

t o 

pD 

go 0 0 
o o g to 



Definition 2 We call error patterns of the Mannheim scheme or the Hexagonal 
scheme to the equivalence relations of the action given in (8) where the group 
— H^or — -T— respectively. 






n 



Lemma 2 The error patterns of the Mannheim scheme or the Hexagonal scheme 
are completely determined by the orbits of the action: 



-H — IT L'tt — IT 
]±rr - 

Proof, too tyot o o 

o riirmTi t o 

t tt t 

t t Pj — Pa(j) ~ Pij 

t ot too to 



o g 



Tl o t 



t tog to 
g y nrTnrr^ 

t t o r - r„ g 
or t g 
y o t tt g 



o t to 
ri77777r„ 



ri,mnr 

t tt 
ook g o 



g rilJTTTri 0 0 tot 



t o 



Definition 3 Let P an arbitrary commutative ring and let P P — P a func- 
tion. We call P P the weight of figure P. The k-th figure sum is defined as the 
sum Pk J2r weight configuration of P — P^ is given by 



P P 



a D 



p p p 



y t o 
P Pf 
t t o 



r r 

o 



tog to 
P-Pf 1 
got 



r* t g t o 

t pattern snm P P P* 



tt 



Theorem 1 Let P* Pf^ 

p r* 

^ ^ i 

Proof, o 00 



il+2j2+ +njr,=n 

t o 3 0 



PfiPfilUP^- 



Example 3 Lf we let P P for all P we get the number of possible error 
patterns, indeed Pk is the number of orbits in the action (If). From Burnside’s 
lemma we get the number of orbits in (If) and then we compute the number 
of error patterns. In a Mannheim scheme the number of orbits of (If) is just 
\ -P — 3 and in Hexagonal scheme ^ -P — , where respectively: 



H’- 



P ifP- 
if P-3 



or H’ ■ 



P ifP- o 

P if P- o 



and hence the number of Pf -orbits for dimension P is just: 

il+j2+ +jr, 

P- 3 



Z. Dt^Pk 

il+2j2+ +njn=n 1 

r* i r* n r 



ini 




in 



1 



ini 



1 



and 



ii+2j2 + 



-\-njn=n 



n 






- 



jl+j2+ +j, 



respectively. 



Example 4 If we let F F Fi if F — Ft we get Ft resulting 

pattern sum is an homogeneous polynomial in Fxlllllll. For example, consider 
FF 3 represented as IF F^^ 2 i example 1), and consider the case F 
The pattern sum is: 

r 2 ^ ^0 A F2 Fs It n It It 

ii+2j2=2 k=ll^‘‘lk 

- Fo A F2 Ts 2 - I\ 7| 7| 

Indeed, we get no much information since we get all degree two monomials as 
the possible patterns of errors, i.e. all the combinations of two errors taken from 
the orbits. Following example gives us some more information: 



Example 5 If we let F F F^a) if F — Fi. For example, consider FF 3 
represented as FF F^_,^ 2 i example 1), and consider the case F . The 
pattern sum in this case is: 



F - Fo Fi F2^ - It It It 

For example, an error has weight F 0 F 2 if it as error pattern of distance two, thus 
the number of such patterns is the coefficient of the monomial /q J 2 in F 



ot t 
o 

t o 
F F 



t y ot g t to 

to t t o t 

o t To 

o o y t t 

i-rf(i) F-Fi o t 



00 t 

g t to o o o 

t ot o o 
tt t g t o 

o 



^ 2 



4 Conclusions 



t o t 
o 

o 



o 

g 

g 

g g 



y to o t 
too o 
to o t 



t t o t 

1 1 o o t t 
t g t g o g 

otty ot to 




n 



t O 

O t 

o t 

to o 

t 0 0 g 
o t to t 

t t t 0 0 t 

to t t 

t go — 

o t g o t 

t tgto otto t 

t t t t o t 

ot oy oyo ^ ot 

0 0 o tgto 



t too to 

toot gtt to t g 

t oy o y o o 

ot t yotoyo o 

o 00 gt ottoo 00 t 

to ot oto o t 

g t to y y t 

o t o o t o o 

r-p — r-pp- r-o t t o 



too to o 

tot g 
o t y o t o 



References 

1 J.L. Alperin , R.B. Bell 
i 1 in 

E. Bannai, T. Ito 



N. Biggs 
1 

B. Bollobas 

1 

P. Camion 

in 

1 n 

Hardy, G.H., Wright, E.M. 

in i i n i i n 1 

K. Huber 
0-1 1 
K. Huber 



1 1 - 



P. Delsarte 
ni 



1 1 



in 
n 1 



n n n 



1 1 



0 1 



10 P. Delsarte,V.I. Levenshtein 

n n n 0 1 

11 W. Ledermann i ni i 

1 

1 H. Lehmann 

i ni i " i n 1 

1 E. Martinez, F.J. Galan Combinatorial structure of arithmetic codes. in 
ninnnin 1 n 




in 



1 



ini 



1 



1 E. Martinez, M. A. Borges, M. Borges Combinatorial structure of rings of 
complex integers with Mannheim metric. 1 n in i - 

in n n 

1 

1 E. Martinez Computations on character tables of association schemes. 

in i n i in 0 in - 1 

1 H. Tarnanen ni n 

n ini 

1 P.Sole i 

i 11 11 

1 P.Sole 

in i 10 1 1 1 




A New Method for Generating Sets 
of Orthogonal Seqnences for 
a Synchronons CDMA System 



o o 

University of Leeds, Leeds, LS 2 9 JT, UK 
eenhmdOelecteng. leeds .ac.uk 



Abstract. A new, systematic method of generating orthogonal sets of 
sequences with good correlation properties is described. An orthogonal 
set is defined as a collection of n sequences, of length n chips, that are 
mutually orthogonal. Although there are many possible combinations of 
sequences forming orthogonal sets of a specified length, few have been 
identified with a structured method of generation such as Walsh codes 
and orthogonal Gold codes. The application of the new sequences dis- 
cussed is orthogonal spreading codes in a synchronous code division mul- 
tiple access (CDMA) system and their correlation properties are consid- 
ered accordingly. 



1 Introduction 



o o 

O 0 0 

o 

o 

o o 
(n — 1 



o o 



o o 



O 0 0 0 0 0 



o 1 



o 

o 



o o 



O 0 0 

o o 



0 0 0 0 0 
O 0 0 0 



O 0 0 



o 



o n 

(1 

^n — 2 

O O 

X-} , xj} ... 
o 



n 









1 



1,-1 O 

-1 1 



0 0 o 
o o 

0 0 o 

0 0 o 

o o 



0 0 o 

0 0 0 0 

0 0 0 0 
o o 
o 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 56-62, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




A New Method for Generating Sets of Orthogonal Sequences 57 



2 Method of Construction 



o o 



o 1 o 



O 0 0 o 



0 0 0 0 



o o 



ai (ao, 01,02 o„-2 

hi (60,61,62 6„_2 



oi hi o k < n — 1 

7 *^^^ Oi o fc n — 1 



hi 



o hi k 



o 00 

o o 000 



1 1 o o 

o 1 o 

1 1 o o 

loo o 00 



000 o 



(k) 

% o 



1 , „<‘> 




58 



Helen Donelan and Timothy O’Farrell 



2 (ttl ; C['2 — T CLi 

hi 2 (^1,^2 hn-2^ho hi 



o o 



0 0 0 



(n — 1 



(n — 1 



3 Alternative Constructs 



fl o 



(n — 1 



o hi 



o 0 0 



o o 



o 0 0 



0 0 o 

O 0 0 



o o 



O O 00 



o o o ( 1 o o 

o (n — 1 (n— 0 00 



o o 



0 0 0 



4 Correlation Properties 



o 




A New Method for Generating Sets of Orthogonal Sequences 



59 



o o 



0 0 0 0 
O 0 0 

o * 

o 



O 0 0 

o 



o o 
o 



o o 



o o 



O 0 0 0 

o o 
o o 

0 0 o 



o o 
o o 



o o ( 



o o 
o 



o 

0 0 o 

o n n o on , 1 

0 0 o 

0 0 o 

O 0 0 

O 00 0 0 0 0 



) -*- 5 1 ) - 



0 0 o 



Table 1. 



O 0 0 



Set Size 


Number of Sets 


Peak Correlation Value 


8x 8 


7 


4 


16x 16 


15 


8 


32 X 32 


31 


8 


64 X 64 


63 


16 


128 X 128 


127 


20 


256 X 256 


256 


32 



5 Mean Square Correlation Parameters 



o 



o 



o 



o 



o o 

o 

O O 0 0 

0 0 0 



O 0 0 

o o 



0 0 0 0 



o 




60 Helen Donelan and Timothy O’Farrell 



00 0 0 0 0 



0 0 0 0 



o o 



o 00 o 

0 0 0 0 



0 0 o 



K-l N-1 
k—0,k^l m=l 



o o 



( o 



0 0 o 



0 0 o 



CsiSiim 



0 0 o o 



O ^la ^^'c 



0 0 o 



0 0 o 



K{K - 1 iV2 ^ ^2 



O Me O 



O 0 0 0 o ( 

O ( 1 0 0 0 0 0 

( 1 o o 

( O 



o o 



o o 



o 



o 



o 




62 



Helen Donelan and Timothy O’Farrell 



6 Conclusion 



o 

o 



o o 

o 

o 



0 0 0 0 

(n — 1 o o (n — 1 

0 0 o 



0 0 o 



(n (n — 1 



o 

0 0 0 

o o 

o o 



o o 

O 0 0 

o 

o o 

0 0 0 

o 

1 1 



o 



o 



o o 

0 0 0 0 

o 

O 0 0 0 0 



o 



00 



References 

1. Garg, V.K., Smolik, K., Wilkes, J.E.: Applications of CDMA in Wireless/Personal 
Communications. Prentice Hall (1997) 

2. Tachikawa, S.: Recent Spreading Codes for Spread Spectrum Communication Sys- 
tems. Elec, and Comm, in Japan. Vol.75. No. 6. (1992) 41-49 

3. Popovic, B.M.: Efficient despreaders for multi-code CDMA systems. Proc. ICUPC. 
(1997) 516-520 

4. Dinan, E.H., Jabbari, B.: Spreading codes for direct sequence CDMA and wideband 
CDMA cellular networks. IEEE Comms. Mag. (1998) 48-54 

5. Sarwate, D.V.: Bounds on crosscorrelation and autocorrelation of sequences. IEEE 
Trans, on Communications. Vol. IT-25. No. 6 (1979) 720-724 

6. Pursley, M.B.: Performance evaluation for phase-coded spread-spectrum multiple- 
access communications - Part I: System analysis. IEEE Trans. on Communications. 
Vol.COM-25. No.8. (1977) 795-799 

7. Schotten, H.: Tutorial: Sequenzen und ihre Korrelationseigenschaften. University of 
Ulm.(1998) 




New Self-Dual Codes over GF(5) 



Stelios Georgiou and Christos Koukouvinos 



Department of Mathematics, 
National Technical University of Athens, 
Zografou 15773, Athens, Greece. 



Abstract. Self-dual codes and orthogonal designs have been studied for 
a long time as separate research areas. In the present paper we show a 
strong relationship between them. The structure of orthogonal designs is 
such as to allow us a much faster and more systematic search for self- dual 
codes over GF(5). 

Using our method we constructed the following linear self- dual codes 
over GF(5):(i) [4,2,2], (ii) [8,4,4], (iii) [12,6,6], (iv) [16,8,6], (v) [20,10,8], 
(vi) [24,12,9], (vii) [28,14,10]. The codes (i), (ii), (iii), (v) are extremal. 
A [28,14,10] code is constructed here for the first time. 



Key words and phrases: Self-dual codes, construction, orthogonal designs. 

1 Introduction 

We first give some basic definitions which are needed in order to explain our 
method for the construction of self-dual codes. Self-dual codes are important be- 
cause many of the best codes known are of this type and have a rich mathematical 
theory. An orthogonal design of order n and type (si, S 2 , • ■ • , s„) (si > 0), de- 
noted OD{n; si, S 2 , . . . , Sm), on the commuting variables Xi,X 2 , ■ ■ ■ ,Xu is &nn n 
matrix D with entries from the set {0, x\, X 2 , . . . , Xu such that 

U 

DD'^ = i'^SiX^^)In 

i=l 

Alternatively, the rows of D are formally orthogonal and each row has precisely 
Si entries of the type Xi. In [2], where this was first defined, it was mentioned 
that 

U 

D^D={Y,Sixi)Ir, 

i=l 

and so our alternative description of D applies equally well to the columns of D. 
It was also shown in [2] that u p{n), where p{n) (Radon’s function) is defined 
by p{n) = 8c + 2'’*, when n = 2“6, b odd, a = 4c + d, 0 d < 4. For more details 
and construction methods of orthogonal design see [3] . 

In this paper we restrict our attention in two variable orthogonal designs, i.e 
in the case where u = 2. 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 63-69, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




64 



Stelios Georgiou and Christos Koukouvinos 



For our consideration we also need some facts from coding theory. Our ter- 
minology and notation follow [6]. Let F = GF{q) be the field with q elements 
where g is a prime power. An [n, k] linear code C over F is a fc-dimensional 
vector subspace of F". In particular, codes over GF(2) and GF(3) is said binary 
and ternary codes, respectively. The elements of C are called codewords and the 
weight of the codeword is the number of its non-zero coordinates. A minimum 
weight is the smallest weight among non-zero codewords. An [n, k] code with a 
minimum weight d is called an [n, k, d] code. Two binary codes are equivalent if 
one can be obtained from the other by a permutation of the coordinates. 

The dual code C of C is defined as C = {x F"|x y = 0 for all y C . 
If G G , G is called a self-orthogonal code. G is called self-dual if G = G . 
Furthermore G is called doubly-even if the weights of all codewords of G are a 
multiple of four. A self-dual code is called singly-even if there exists at least one 
codeword whose weight is 2{modA). 

A self-dual code G is called extremal if G has the largest possible minimum 
weight. The known bounds of d for q = 2,3,4 are given in [7] and [8] . In particular 
the following theorem is known. 

Theorem 1 ([8]) The minimum distance d of a self-dual [n,n/2] code C satis- 
fies 

' 2 [^] + 2 if q = 2 and C is singly-even 
4 [^] + Aif q = 2 and C is doubly-even 
I 3[f|] +3z/g = 3 
^ 2 [^] + 2 if q = A and C is even. 

For each length, the details of the largest possible minimum weight is listed 
in Table I in [1]. Conway and Sloane [1] also gave a list of the possible weight 
enumerators of binary extremal self-dual codes. The existence of some extremal 
self-dual codes is an open question in [1]. 

2 The Method 

In this section we will show how we can use an orthogonal design in order to 
obtain a linear self-dual code over GF(5). 

We consider an orthogonal design OD{n] s\, S 2 ). Then we replace the first 
variable by 1 and the second variable by 2. This replacement of course does not 
affect the orthogonality of the rows, and let us denote the derived matrix by 
A. We shall take the elements of CF(5) to be either {0, 1,2, 3, 4 or {0, 1, 2 

using whichever form is more convenient. 

On the other hand since there are more orthogonal matrices with elements 
from GF(5) than orthogonal designs with elements from a set of commuting 
variables, we use both of them in order to construct the desired codes. 




New Self-Dual Codes over GF(5) 



65 



U 

Lemma 1 If we say c = '^^Sixj, where in our ease u = 2, then the matrix 

1=1 

C = [a/„, A] is the generator matrix of a [2n, n, d; 5] linear self-dual eode if and 
only if c+ is divisible by 5. 

Proof We have that 



CC^ = [aI^,A][aI^, = (c + a^)I^. 

Thus if c + is divisible by 5 then CC^ = 0„ over GF{5), where 0„ is the 
n — n matrix whose entries are all zero, and then the matrix C = [a/„, A] is the 
generator matrix of a [2n, n, d; 5] linear self-dual code. On the other hand if the 
matrix C = [aIn,A] is the generator matrix of a [2n, n, d; 5] linear self-dual code 
then CC'^ = 0„ over GF{5) and then c + is divisible by 5. — 



Example 1 We consider the following orthogonal design 00(8; 2, 6). 




h 


a 


a 


-b 


b 


b 


-b 


b 


a 


b 


-b 


a 


b 


b 


b 


-b 


—a 


b 


b 


a 


-b 


b 


-b 


-b 


b 


—a 


a 


b 


b 


-b 


-b 


-b 


-b 


-b 


b 


-b 


b 


a 


a 


-b 


-b 


-b 


-b 


b 


a 


b 


-b 


a 


b 


-b 


b 


b 


—a 


b 


b 


a 


-b 


b 


b 


h 


b 


—a 


a 


b 



Then we replace the first variable by 1 and the second variable by 2. This replace- 
ment of course does not affect the orthogonality of the rows, and let us denote 
the derived matrix by A. We shall take the elements of GF(5) to be {0, 1, 2, 3, 4— . 
Then [21^, A] is the generator matrix of a [16,8, 6; 5] linear self-dual code where 
A is the following matrix. 

'2 1 1 3 2 2 3 2' 

12312223 
42213233 
24122333 
33232113 ■ 

33321231 

23224221 

32222412 

Its weight enumerator is 

W{z) = 1-1- 160z® -f 192z^ -f 2880z® -f 55680® 268480^0-f 

-^ 378240^1 895680^2 844800^3 91392014 + 

-F39936015 + 1177601®. 




66 Stelios Georgiou and Christos Koukouvinos 

It is obvious that any orthogonal design with two variables can give a linear 
code over GF{5) and if there exist a — GF{5) such that Lemma 1 holds then this 
code is self-dual, but in order to find a large enough minimum weight d we must 
try a lot of orthogonal designs and orthogonal matrices. From the description 
of our method it is clear that this can also be applied in the construction of 
self-dual codes over GF(2) and GF(3). Thus we are able to construct a series 
of the previously known linear self-dual codes over GF(2) and GF(3) by this 
method. 

Example 2 We consider the following orthogonal design OD(4;2,2). 

aba —b 
_ b a —b a 
—a bob' 
b —a b a 

Then we replace both variables by 1. This replacement of course does not affect 
the orthogonality of the rows, and let us denote the derived matrix by A. We shall 
take the elements of GF(3) to he {0,1,2— Then is the generator matrix 

of a [8,4, 4; 3] linear extremal self-dual code where A is the following matrix. 

'1 1 1 2 ' 

2 111 ■ 

12 11 

Its weight enumerator is 

W{z) = 1 -b 24^"^ + 16z^ + 32z® -b 8x®. 

3 The Results 

In this section we present the results that we find using either orthogonal de- 
sign or orthogonal matrices. In particular we construct the following linear self- 
dual codes over GF{5):1. [4,2,2], 2. [8,4,4], 3. [12,6,6], 4. [16,8,6], 5. [20,10,8], 
6. [24,12,9], 7. [28,14,10]. The codes (1), (2), (3), (5) are extremal. Self-dual 
codes over GF{5) with same parameters were constructed, but with a different 
method, in [4] and [5]. A [24,12,9] code was also constructed in [4]. A [28,14,10] 
code is constructed here for the first time. Although it has not been proved yet 
if this code is extremal or not its minimum distance is quite large. 

1. The matrix [I 2 , A] is the generator matrix of an [4,2, 2] extremal singly-even 
self-dual code where A is the following matrix. 




Its weight enumerator is 



W{z) = l + 8z^ + Wz*. 




New Self-Dual Codes over GF(5) 



67 



2. The matrix [ 2 / 4 , 7 !] is the generator matrix of an [8,4,4] extremal self-dual 
code where A is the following matrix. 

'33 2 3' 

33 3 2 

^ “ 3233 ■ 

2 3 3 3 



Its weight enumerator is 

W(z) = 1 + 48z^ + 32z^ + 288z® + 128^^ + 128z®. 

3. The matrix [/6 ,t 1] is the generator matrix of an [12,6,6] extremal self-dual 
code where A is the following matrix. 




3 


3 


4 


3 


4 


0 


4 


3 


3 


0 


3 


4 


3 


4 


3 


4 


0 


3 


2 


0 


1 


3 


4 


3 


1 


2 


0 


3 


3 


4 


0 


1 


2 


4 


3 


3 



Its weight enumerator is 

W(z) = l + 44 O 0 ® 528^^ + 2640z® + 2640z® + 5544z^° + 2640z^^ + 1192z^l 

4. The matrix [2/g, A] is the generator matrix of a [16,8, 6] self-dual code where 
A is the following matrix. 



21132232 

12312223 

42213233 

24122333 

33232113 

33321231 

23224221 

32222412 



Its weight enumerator is 



W{z) = 1 + 160z® + 1922^ + 28802® 5568z® + 26848z^°+ 

+37824211 + 89568212 8448021® + 91392z^'^+ 

+399362I® + II7762I®. 




68 



Stelios Georgiou and Christos Koukouvinos 



5. The matrix [/lo, A] is the generator matrix of an [20, 10, 8] extremal self-dual 
code where A is the following matrix. 

'3 34 1 1 3 0 0 0 2' 

1334123000 
1 133402300 
4113300230 
34 1 1 3 0 0 0 2 3 
2300031143 ■ 

0230033114 
0 0 2 3 0 43 3 1 1 
0002314331 
3000211433 

Its weight enumerator is 

W(z) = 1 -t- 2280z® + 23408z^° + 72960z“ + 2416802^2 43776O2I3+ 

-hl2038402i4 4 . 15868802^5 ^ 222984021® + I90l520z^'^+ 
-hl4181602i® + 52896021® + 11833622®. 

6. The matrix [2Ii2,A] is the generator matrix of a [24,12,9] self-dual code 
where A is the following matrix. 

'411111114014' 

141111141140 
114111411401 
444411104441 
444141041414 
444114410144 
441401411111 ■ 

414014141111 

144140114111 

041114444411 

410141444141 

104411444114 

Its weight enumerator is 

IT(2) = 1 -f 10562® + IIO88220 -h 369602“ + 2123522“ + 5913602^-f 
+23823362“ + 52870402“ + 137966402“ + 230376962“+ 
+395287202“ + 461630402“ + 4925289622® + 35604800221+ 
+202403522®2 + 683232022® + 1161968224. 




New Self-Dual Codes over GF(5) 



69 



7. The matrix [ 2 / 14 , A] is the generator matrix of a [28,14,10] self-dual code 
where A is the following matrix. 

■3 330313334311 O' 

3 3 3 3 0 3 1 0 3 34 3 1 1 

13333031033431 

31333301 103343 

03133333110334 

30313334311033 

33031333431103 

20442123313033 ' 

22044213331303 

12204423333130 

21220440333313 

42122043033331 

44212201303333 

04421223130333 

Its weight enumerator is 

W(z) = 1 -f 3500^10 + 9856^11 + 99820^12 + 362152^13 + 1938224zi‘^+ 
-^6041504^15 + 22861496^1® -7 57103424^11' -7 154245868zi®-f 

-h300198752.zi9 575888012z20 + 833084840^21 + 1106507192^22+ 

-K116111808z 23 + 955594024^24 + 598184608^2® -f 281403808^26+ 
-^819920642:21' -F 11884672228. 



References 

1 . J.H. Conway and N.J.A.Sloane, A new upper bound on the minimal distance of 
self-dual codes, IEEE Trans. Inform. Theory, 36 (1990), 1319-1333. 

2. A.V.Geramita, J.M.Geramita, and J.Seberry Wallis, Orthogonal designs, Linear 
and Multilinear Algebra, 3 (1976), 281-306. 

3. A.V.Geramita, and J.Seberry, Orthogonal designs: Quadratic forms and Hadamard 
matrices, Marcel Dekker, New York-Basel, 1979. 

4. M.Harada, Double circulant self-dual codes over GF(5), Ars Combinatoria, to ap- 
pear. 

5. J.S.Leon, V.Pless, and N.J.A.Sloane, Self-dual codes over GF{5), J. Combin. The- 
ory Ser. A, 32 (1982), 178-194. 

6. F.J. Mac Williams and N.J.A.Sloane, The theory of error-correcting codes, North- 
Holland, Amsterdam, 1977. 

7. E. Rains and N.J.A. Sloane, Self-dual codes, in Handbook of Coding Theory, eds. 
V.Pless et ah, Elsevier, Amsterdam, 1998. 

8. V.D.Tonchev, Codes, in The CRC Handbook of Combinatorial Designs, ed. 
C.J.Colbourn and J.H.Dinitz, CRC Press, Boca Raton, Fla., 1996, 517-543. 




Designs, Intersecting Families, and Weight of 
Boolean Functions 






ef iliolOmailhost . esm-stcyr . terre . defense . gouv . fr 



Abstract. 
1 1 
1 

1 



1 



1 

1 



) 

1 

M AJ21 -1 



1 



1 



1 Introduction 



/ IP? F2 

wt f X W 2 f X 1 
wt f 

mm m 



1 




k 



1 



m m 



m X m 

k 

k. 



m 



m 

k X m 



m 



m 



m 



m m 

X m X " n m 

n km. 



1 . 



m 



11 . 



1 1 



1 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 70-80, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




1 



X 



m 



X m 

m 

mm m 

m 

Normal Form 

m 



1 



m m . 



m X m 



m 



m 



m 

Algebraic 



X m 
m 



m 

k m 

m 

m j 
n m 

X 



m 

m 



X 



m 



2 Preliminaries 



F 2 m 
m 

wt 1 f — wt f . 



2.1 Boolean Functions 



/ F2" - F2. 

/ Xl,X2,... ,Xn aax“ -F 2 

a F 9 



X X* 1 ,X 2 ,... 

O/y 



a ^.cti a 2 a 

'^1 *^2 ‘ ‘ ■ 



at - F 2 . 
m 1 



aa g a f fii, (32, ■ ■ ■ , (3„ 

[5 a 



F 2 ". 



f3 — a 
(3 — a 



j3i Oii % . 



m 




a 



X 



mm / 



1 1 

f ^ 0 x9 P ■ 



— f -a — ¥^-aa 1 — 

m m . minimum 

degree f dmin f 



dmin f m mvt a - 
« (/) 



wt(.) 

m m 



/ 



m 

support 



supp a 
a 



mm . m m m 

mm m 





m 




deg f 


supp 


a s — 




1- 




- 1 , 


n— 




m 






supp a 




covering 


m 


m a 



cov a —j 3 / supp [3 — supp a — 



a / 

■ 

X 

a — X. 

m m 



sov a ^ 1 m 

a sov a — — 1 m 

a / supp a — supp x 

a <> f 3 

X m 



a 



m 



a 



p 

m 



Example 1 


Let f xs, X2, xi 


Xl 


XlX2 X2X3 


X1X2X3 over ¥2 . 


Then we 


have — f 


1 7^5 5 1 1 5 


1,1, 


, 1,1,1 


— and supp 


111 -1, 


, — and 


covers all the monomials. Moreover d 


min f 


1. 










f X f A 




m A — 




A 


supp X 








m 








m m 


a — X 








m . 




f X 


/ ^ 




f N„ -A 


f X 1 1 




1,1, 


1,.. 


■ ,1,1 • 






k 


1 














< n. 










m m 







Proposition 1 Let f be a Boolean funetion on If dmin f > -^ — then f is 
underbalanced. 



Proof dmin / > -f- f X 1 
n m 

f X 1 . 



wt X — dr, 



n—1 



X 




1 



1 



2.2 Designs and Intersecting Families 

Definition 1 At— v,k,X design is a pair — , — where — is a v-element set of 
points and — is a colleetion of k-element subsets of — (bloeks) with the property 
that every t-element subset of — is contained in exactly A blocks. 



m 

b 



Balanced Incomplete Block Design 
m r 

m k 

m k 



m 



m m 

admissible parameters 



X 



— r k — 1 \ V — 1 

— bk vr 

— V — b 



k F 2 
m 

b V 

s 

m 



j 

m 



k . 

G( 

k T. A 

k . 

m - 



V 

k 



m 

symmetric 

m 

k 

s 1 
m 

n n 

n, A 

m 



m 



m 



s 



m 



k 



Definition 2 [4] Let — be a family of subsets of a n-set. — is said intersecting 

if 

-A--, -B A-B - - 

km j m 



Proposition 2 Let — be an intersecting family of subsets of a n-set. Then 

n— 1 



There exist intersecting families reaching this upper bound. 



m 

m X m 

X 



m. 



1 1 . 



m 




3 ANF and SBIBD 



m 



m 



mm 

j 

m 



m k m 
m 

j m 

t— v,k,\ 

k m 



Definition 3 Let f F 2 " — F 2 a Boolean function. Let — supp a -et — 
— / — and — N„ . Then f and the structure — , — will be said associate. 
When — , — is at— n, k, A design for some parameters n, k and A, it is called 
the associate design of f. 



... 1 



k j 

t — n,k, X 

k drain k dcQ f . 

m m 

m k 



f X m X — F 2 ” 

supp X . 

Example 2 The ANF f xs,X 2 ,xi X\X 2 X 1 X 3 X 2 X 3 is associated with a 

, ,1 (complete) symmetric design with — —1, , —and— — 1, — , — 1, 

— , — .Then / 111 1 since supp 111 —1, , —contains the three blocks 

(monomials). 



m 



m 



Proposition 3 In a — n,k,X 
have 


SBIBD, with n — k, for all bi, bj 


we 


bi - bj 


— — k n — 1 




Proof. Li— -bj — 

bi ~bj — A 

\ fe.(fe-i) 

n— 1 


k mm Li - 

.k — n. mm 


1 


— n — \ .k — n 


k 


n- 1. 


Remark : 


n, n—l, n— 


m 


mm 






m 






m 


m 





Proposition 4 Let f F 2 ” — F 2 a Boolean function associated with an n,n — 

l,n— symmetric design. Then f is never balanced except for n , —and 

its weight is given by : 

wt f ^ 



n if n even 
n 1 if n odd 




1 



1 



Proof. 



n 



n—1 



n n 



f mm 

X — F 2 " n n—1 

n—1 

m k . k 

/ 

n 1 n 



n—1. 

/ a: 1 

n 

X 1 
m 

n , -. 



X m 



Proposition 5 Let be a n,k,X SBIBD. Then the number of subsets of N„ 
containing at least one block of the SBIBD is lower or equal to . 



Proof. k 

m A — . m 

m 



Remark : 

, ,1 



n—1 



X m 
m m 



Theorem 1 Let be a n,k,X SBIBD with n,k — — , 1 , , — and f its 

associate Boolean function. Then f is underbalanced that is to say 

wt f < 



Proof. k V > k 









m 


1 . 


1- 


— 






m 


m 


k 




Jv. 

supp 


X . 





^ n—1 




mm 






n—1 




a 


bi - bj 


-a— 


k-X . 


a 


— 




a 










k . 






X 


k bi 




Li - bj 


-bi- 


k-X 


k- X 


- k 


-X k- 


X Li 


1 

1 


- X . 


V 


k. 








- k 


-A k- 


X 




k 




k - 1 


h ^ 

, n, 2 






1, 


q,q 


m q 


X 



f X 1 



supp X -f X 






k 



m k 

k 

bi - bi-bj i,j,k 

m m 

Li -bj - bi- 



k - 1 



k 

k 




1 1 



m 


1 


to 




— 




X 




k-i 
















— ( 


(n( 

i 


k 


An(n— 1) 
/c(fc-l) 




m 




k . 


i=0 
















r 


>2 


( 












n 




^ n—l 












k- X 


k - 


A — A — bj — 


hi- X 


X 


A 


A 


A - 


X - 




A 






m 


mm 






k . 








A 


< k < X 


X 


< X . 


\ k{k-\-l) 

n-1 




k < n < 


k - 


1 


k>H^- 












m m 


drain 














m 
















Remark : 


b 


mm 




f 1 






^ n— 1 



Definition 4 Let f a Boolean function whose ANF satisfies the intersecting 
property (i.e. any two blocks have non empty intersection). The associate in- 
tersecting family — is the intersecting family, each subset of which contains the 
support of at least one monomials of — f . 



Corollary 1 Let be a n,k,X SBLBD and f its associate Boolean function. 
Then we have : 



where b 

Proof. 

m 

m k 
m 



1 1 



fe-A-l 

( bAl^-k <wt f < 



i=0 

^k(k-i) number of block of the SBIBD. 

m m ml. 

X k f X 1 

k-X-1 
m m 

k — X — s — m m 



m 



k 

k 



k 



m 



X 

A 



m X m 
m 



k 

ml k 

m 

lent to weakness. 

m 

mm 



m 

k 1 f X 

structure is often equiva- 
k 




1 



1 



Theorem 2 Let be f F 2 " — F 2 with n ^ — 1; whose ANF describes a 
® — 1, ( 2 q-~^ 2 ( design (associate design). Then f is balanced. 



Proof. 

mm k . 

n~l n 9 - 1. 

h. _h .1 ^-1 

Uj T, , . . . , 2 

Fi — bj — — k n 

k 



m 

m 

k bi bj 

K Fi~ bj — Fi~ Fj bi — bj 

I i-K. f 

m k 

k 



l29”i 



( 



m 



-F-K ^ = 1 mod 

supp — supp n 1 — t 

1 



m 



4 ANF Structure of the Majority Functions 



k 

n . n 

m 

MAJ„ 

mm 

k 

m j 
m 



m m 

M AJ21 — I . 

MAJn 




k n 

m 



1 1 . 

X m 



X 



1 - 1 . 



m 



m 

m m 
m m 



n 



Proposition 6 Let f be a MAJn function. Its ANF satisfies the following con- 
ditions and then is balanced : 

1. -a /, -/? /, supp a — .supp /3 

2. -a / , -eov a ^ 1 mod 

3. -ot f ,—(d f , ^ov a — P ^ 1 mod 



Proof. 



n 



m 



/ 

n 



k — dr) 



■^min 

m 



m 

n+l 

2 

m 



m 



- / 



k 




n — 



1 



m m 



. -A-- 



m 




-a / supp a A. 

m a f X 1 supp X A 

A /.mxm A 

m a-- f 



[a / ^ 1 m 

- f A - a - /3- 



A 



rt+l n 

o 2 



f X 1 supp X A. 



I - - f , 4- i, 

^ ■ ^oc,/3 



^a,Si ^f3,6 ^a,0,5 

^oc,j3,6 

m 



^a,/3,<5“ ~^a,/3— ^a,5“ ^/3,5“ 



~^oc,p ^oc,5 ^j3,5 






z m m 

X wt X — dmin f X 1.— 

Remark : m 



— f i > mm 

MA.R 



Ad AJ2^ 



-1 



q-l 



m X 



m 



m 



- / 



union property F — F — , —F , — F 

k ” m ml 



AdAJn 

m n. 



Proposition 7 The Boolean functions MAJn have correlation order 1 and 

n—l ( 



P MAJn X Xi 



1 



Proof. 



MAJn X MAJn X 1 1 

m 



m 



m 



n 



4— —x—¥!}AJA.Jn X Xi 



1 P MAJn X Xi — 

— m i. 




1 



1 



- Xi 


MAJn X 




Xi X 


m 


m 


n — 1 


X 


MAJn X 




( Si 


fn—l t 
^ 3 V 


Xi 1 


MAJn X 


1. 


m 


( 

k m 


i=0 1 j \ 


/ n— 1 
^ 2=^ 


m 


Remark : 






m 


m 


Xi 




n — — 


n 






m 


m 


m 


MAJn X 





, rt+1 
^ 2 



( 

4- 




P MAJn X 




X m 



5 Conclusion 

m 

k 

k 



m 



m 



k 



m m . 
m 



m 



m 



m 



X 



m 



m MAJn 
k 

X 



m 



6 Acknowledgements 

m 

k 
k 

m . 

References 



k k 

mm m m 

mm j 




11 



1 Classical Geometries 

1 



1 



1 Partially Bent Functions 




Balanced Boolean Functions 



circuits 

1 

1 



1 

Balance testing and balance-testable design of logie 
1 1 

Cumulative balance testing of logie circuits 

Decoding of cyclic codes and codes on curves 
1 11 

1 



Construction of Bent Funetions and Balanced Boolean Functions 
with High Nonlinearity 

1 1 

1 1 Highly Nonlinear Balaneed Boolean Funetions with a good 

Correlation-Immunity 1 1 

1 

1 Extremal Set Systems 
■1 ) 1 
1 1 



11 



11 



1 1 



11 



1 



11 Propagation 
1 



Charaeteristies of Boolean Funetions 1 

1 

1 Correlation Immunity of Nonlinear Combining Funetions for 
Cryptographic Applications 1 



Partial Ceometries 



Functions 



Restriction, Terms and Nonlinearity of Boolean 

1 1 




Coding Applications in Satellite 
Communication Systems 
[Invited Paper] 



Dr Sean McGrath 

University of Limerick 
Ireland 

sean.racgrathOul . ie 



Abstract. This paper provides a brief insight in satellite communication 
systems from the perspective of coding applications. CDMA based systems for 
use in Low Earth Orbit (LEO) satellite systems is the focus of the paper. The 
code-division-multiple-access (CDMA) format is emerging as a dominant air 
interface technology for cellular, personal-communications-services (PCS) as 
well as satellite installations. This transmission technology relies on a 
combination of spread-spectrum modulation, Walsh coding, and sophisticated 
power-control techniques. In a typical CDMA transmitter, a data signal is 
encoded using a Walsh code and then mixed with the RF carrier, which has 
been spread using a pseudorandom-noise (PN) source. In a base-station 
transmitter, multiple data signals are assigned unique Walsh codes and 
combined. In the CDMA receiver, the signal is filtered and fed to a correlator, 
where it is despread and digitally filtered to extract the Walsh code. The paper 
examines some weaknesses of such systems. 



LEO System 

The systems of Low-earth orbiting (LEO) satellites provide mobile voice, data and 
facsimile and other mobile satellite services for both domestic and international 
subscribers. The systems consists typically consist of a space segment, a user segment 
and a Ground segment, which connects to the terrestrial telephone network. The space 
segment consists of any thing from 10 to 66 satellites orbiting the earth at an altitude 
of over lOOOKm. The user segment is composed of hand-held, mobile and fixed 
terminals. The ground segment consists of the satellite control center and Gateways. 
The systems of Low-earth orbiting (LEO) satellites provide mobile voice, data and 
facsimile and other mobile satellite services for both domestic and international 
subscribers. The systems consists typically consist of a space segment, a user segment 
and a Ground segment, which connects to the terrestrial telephone network. The space 
segment consists of any thing from 10 to 66 satellites orbiting the earth at an altitude 
of over lOOOKm. The user segment is composed of hand-held, mobile and fixed 
terminals. The ground segment consists of the satellite control center and Gateways. 



M. Walker (Ed.): IMA - Crypto & Coding'99, LNCS 1746, pp. 81-83, 1999. 
© Springer- Verlag Berlin Heidelberg 1999 




82 



Sean McGrath 



CDMA 

A CDMA spread spectrum signal is created by modulating the radio frequency signal 
with a spreading sequence known as a pseudo-noise (PN) digital signal because they 
make the signal appear wide band and "noise like". The PN code runs at a higher rate 
than the RF signal and determines the actual transmission bandwidth. Messages can 
also be cryptographically encoded to any level of secrecy desired with direct 
sequencing as the entire transmitted/received message is purely digital. An SS 
receiver uses a locally generated replica pseudo noise code and a receiver correlator to 
separate only the desired coded information from all possible signals. A SS correlator 
ean be thought of as a specially matched filter — it responds only to signals that are 
encoded with a pseudo noise code that matches its own code. Thus an SS correlator 
(SS signal demodulator) can be "tuned" to different codes simply by changing its 
local code. This correlator does not respond to man made, natural or artificial noise or 
interference. It responds only to SS signals with identical matched signal 
characteristics and encoded with the identical pseudo noise code. 



Air-Interface 

CDMA was selected due to its interference tolerance as well as its security inherent in 
the modulation scheme. CDMA is able to provide good voice quality while operating 
at relatively low RF power levels. Path diversity is employed using rake receivers to 
receive and combine the signals from multiple sources. In the forward direction the 
use of diversity brings substantial gain if one of the satellites is obstructed. However, 
the reverse direction, because this is non-coherent diversity combining the gain is not 
as good. 

Assignment of the code channels transmitted by a gateway. Out of the 128 code 
channels the forward channel consist of pilot channel, one sync channel, up to seven 
paging channels, and a number of Forward Traffic Channels. Multiple Forward 
channels are used in a Gateway by placing each Forward channel on a different 
frequency, namely the forward link pilot, sync and paging channel. 

The pilot channel will generate an all zeros Walsh Code. This combined with the 
short code used to separate signals from different Gateways and different satellites. 
The pilot channel is modulo 2 added to 1.2288 Mc/s short code and is then QPSK 
spread across the 1 .23 MHz CDMA bandwidth. 

The Sync Channel is interleaved, spread and modulated spread spectrum signal. 
The sync channel will generate a 1200b/s data stream that includes time, gateway 
identification and assigned paging channel. This convolutionally encoded and block 
Interleaved to combat fast fading. The resulting 4800 symbols per second data stream 
is modulo two added to the sync Walsh code at 1.2288Mc/s which is then modulated 
using QPSK across the 1.23MHz CDMA bandwidth. 

The paging Channel is used to transmit control information to the user terminal. 
The paging channel is convolutionally encoded at rate =1/2, constraint length K =9 




Coding Applications in Satellite Communication Systems 



83 



and block interleaving. The resulting symbol rate is combined with the long code. The 
paging channel and long code are modulo two added, which is then modulo two 
added to the 1.2288Mc/s Walsh Code. 



Modulation & Spreading 

The spreading sequence structure for a CDMA channel comprised on an inner PN 
sequence pair and a single outer PN sequence. The inner PN sequence has a chip rate 
of 1.2288 Mcps and a length of 1024, while the outer PN sequence has an outer chip 
rate of 1200 outer chips per second and a length of 288. The outer PN sequence 
modulates the inner PN sequence to produce the actual spreading sequence lasting 
240msec. Exactly one inner PN period is contained within a single outer PN chip. 

Other parameters such as Link delay are important end-to-end parameters. The 
LEO satellites will provide a much more benign delay than the more common 
synchronous orbit satellites. Delay is held to 150ms in each direction. The vocoder 
uses a Code Exited Linear Prediction (CELP) algorithm which is similar to that used 
by the IS-96 coder. 



Conclusion 

This paper provides an insight and overview LEO systems and the application of this 
current area and the possible next generation systems. Underlining focus was on 
coding used in satellite applications and in particular to CDMA systems. The 
discussion has involved coding in all aspects of the satellite system, from user 
terminals to ground stations are discussed. The implementation of the various blocks 
are discussed. Einally the paper looks at future satellite systems and examines the 
coding requirements. 




A Unified Code 



Xian Liu^, Patrick Farrell^, and Colin Boyd^ 

^ Communications Research Group, School of Engineering, University of Manchester, 

Manchester M13 9PL, UK 
mbgeexl2@f si . eng.man.ac.uk 

^ Communications Research Centre, Lancaster University, Lancaster LAI 4YR, UK 
p.g.farrell@lancaster.ac.uk 

® School of Data Communications, Queensland University of Technology, Brisbane 

Q4001, Australia 
boydSf it . qut . edu . an 



Abstract. We have proposed a novel scheme based on arithmetic cod- 
ing, an optimal data compression algorithm in the sense of shortest length 
coding. Our scheme can provide encryption, data compression, and er- 
ror detection, all together in a one-pass operation. The key size used is 
248 bits. The scheme can resist existing attacks on arithmetic coding 
encryption algorithms. A general approach to attacking this scheme on 
data secrecy is difficult. The statistical properties of the scheme are very 
good and the scheme is easily manageable in software. The compression 
ratio for this scheme is only 2 % worse than the original arithmetic cod- 
ing algorithm. As to error detection capabilities, the scheme can detect 
almost all patterns of errors inserted from the channel, regardless of the 
error probabilities, and at the same time it can provide both encryption 
and data compression. 



1 Introduction 

Data compression, cryptologic algorithms, and error control coding are the cen- 
tral applications in information theory and are the key activities in a commu- 
nication system. In fact, efficiency and reliability are the main concerns in a 
communication system. Data compression increases the efficiency by reducing 
the transmission and storing sizes without losing information significantly; cryp- 
tologic algorithms denies the unauthorised users trying to read or modify the 
messages being transmitted or stored; error control coding provides protection 
against channel errors. For error control, there are two basic strategies: forward 
error correcting (FEC) and automatic repeat request (ARQ). FEC works with 
an appropriate error correcting code and can, within the code’s ability, auto- 
matically recover the inverted bits resulting from channel errors at the receiver 
end. ARQ applies a suitable error detecting code so that the decoder at the re- 
ceiver end is within the code capability able to detect if the encoded file received 
has been damaged by channel errors and request the sender to retransmit the 
file. The essential fact in error control coding is that appropriate redundancy is 
introduced in the encoded file. 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 84-93, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




A Unified Code 



85 



Arithmetic coding provides an effective mechanism for removing redundancy 
in the encoding of data. It can achieve theoretical compression ratio bounds so 
it has gained widespread acceptance as an optimal data compression algorithm. 
The first practical implementation for arithmetic coding was provided by Witten, 
Neal, and Cleary [1, 12] in 1987 (which is called the WNC implementation in 
this paper). Since then, many different implementations of arithmetic coding 
with different models have appeared. The authors of this paper have investigated 
the possibilities of providing cryptology and error control based on arithmetic 
coding and proposed a scheme providing both encryption and data compression 
[8], a scheme providing both error correction and data compression [10], and a 
scheme providing encryption, data integrity, and data compression, all together 
in a one-pass operation [9]. In this paper we will propose a unified code that 
can provide encryption, error detection, and data compression all together in 
a one-pass operation. The efficiencies in both encryption and data compression 
are the same as our previous schemes but also the scheme can detect almost all 
error patterns inserted from the channel, regardless of the error probabilities. 

2 Arithmetic Coding 

Arithmetic coding is based on the fact that the cumulative probability of a se- 
quence of statistically independent source symbols equals the product of the 
source symbol probabilities. In arithmetic coding each symbol in the message is 
assigned a distinct subinterval of the unit interval of length equal to its prob- 
ability. This is the encoding interval for that symbol. As encoding proceeds, a 
nest of subintervals is defined. Each successive subinterval is defined by reduc- 
ing the previous subinterval in proportion to the current symbol’s probability. 
When the message becomes longer, the subinterval needed to represent it be- 
comes smaller, and the number of bits needed to indicate that subinterval grows. 
The more likely symbols reduce the subinterval by less than the unlikely symbols 
and thus add fewer bits to the message. This results in data compression. When 
all symbols have been encoded, the final interval has length equal to the product 
of all the symbol probabilities and can be transmitted by sending any number 
belonging to the final interval. That means if the probability of the occurrence 
of a message is p, arithmetic coding can encode that message in — log 2 P bits, 
which is optimal in the sense of the shortest length encoding. The pseudocode 
of arithmetic coding is as follows: 



/* In the model, symbols are numbered 1, 2, 3, ... */ 
/* The cum_prob [ ] stores the */ 
/* cumulative probabilities of symbols with */ 
/* cum_prob [i] increasing as i */ 
/* decreases and cum_prob [0] =1 . The encoding */ 
/* transmits any value in the final [low, high) */ 
/* when it is finished. */ 




86 



Xian Liu, Patrick Farrell, and Colin Boyd 



Encoding: The initial encoding interval [low, high) = [0, 1) 
EncodeSymbol (symbol, cum_prob) 
range = high - low; 

high = low + range * cum_prob [symbol-1] ; 
low = low + range * cum_prob [symbol] ; 

Decoding: The initial decoding interval [low, high) = [0, 1) 

DecodeSymbol (cum_prob) 

find symbol such that cum_prob [symbol] 

<= (value - low) /(high - low) 

< cum_prob [symbol - 1] ; 
range = high - low; 

high = low + range * cum_prob [symbol - 1]; 
low = low + range * cum_prob [symbol] ; 
return symbol; 

The WNC implementation for arithmetic coding [1, 12] was the first practical 
algorithm and is widely accepted. The algorithm is provided with either a static 
model or a first-order adaptive model. The algorithm realises integer arithmetic 
and incremental transmission. The arithmetic precision is 16-bit. In their first- 
order adaptive model, all the frequencies are initialised to 1. If the current model 
exceeds the maximum cumulative frequency, the model reduces all frequencies 
by half and recalculates cumulative frequencies. If necessary the model reorders 
the symbols to always put the current one in its correct rank in the frequency 
ordering. Adaptation is performed by incrementing the proper frequency count 
and adjusting cumulative frequencies accordingly. Due to the limit of the first- 
order adaptation, the compression ratio is 50% to 70% according to the size 
and type of the file. However it can be greatly improved by using a higher-order 
adaptive model. 

3 Our Basic Scheme 

Of course, the purpose of data compression is to reduce the redundancy in the 
message. On the other hand, redundancy contained in the output of a cryptosys- 
tem is usually one of the main resources to be used by the cryptanalyst. Also 
in an adaptive model, the current state in the model is related to the initial 
state and all of the messages that have been encoded so far since the model 
was initialised. Based on these facts Witten et al [11] suggested that an adaptive 
arithmetic coding algorithm may provide high level security. They also indicated 
that to use an adaptive modelling compression algorithm as an encryption algo- 
rithm it was enough to transmit the initial state in the model as a key over a 
secure channel. 

3.1 Witten-Cleary Proposal 

In 1988 [8] Witten and Cleary suggested two ways to insert the key into arith- 
metic coding: 




A Unified Code 



87 



Method 1: The initial model is used as the key in which an array of single- 
character frequencies in the range of 1-10 would do. 

Method 2: A constant initial model is used and before transmission begins 
both the encoder and decoder assimilate a short secret message into the model. 

Their further suggestion is that the adaptive links should be maintained over 
long periods of time; i.e. the final model of encoding the current message will 
become the initial model to encode the next message. 

Aiming at Method 1 in Witten-Cleary proposal with WNC adaptive imple- 
mentation, Bergen and Hogan suggested a chosen plaintext attack on first-order 
adaptive arithmetic coding in 1993 [2]. Instead of trying to recover the initial 
model the Bergen-Hogan attack tries to take control of the model and reduce it 
to a manageable form. If the encoder does not initialise its model, the attacker 
can decrypt any message transmitted after the attack is done. To be successful, 
in the Bergen-Hogan attack an associate as well as an attacker are necessary. The 
associate needs to send 2^® symbols and the attacker needs to try decoding the 
test string 2^"^ times. Up until now the Bergen-Hogan attack is the only feasible 
attack on the adaptive arithmetic coding encryption algorithm. 

3.2 Our Basic Scheme 

In [8, 9] we proposed our initial scheme to provide both encryption and data 
compression, and the scheme to provide encryption, data integrity, and data 
compression all together in a one-pass operation. In this section we will sum- 
marise some of the related results and the further results on the updated scheme 
providing both encryption and data compression. The key point is that we found 
without any exception that if the state in the adaptive model in the decoder is 
only slightly different from that in the encoder the decoder is unable to work at 
all and if the current interval in the decoder is only slightly different from that 
in the encoder the decoder is also unable to work at all. 

The Scheme 

1. Select an initial frequency count for every symbol randomly, which acts as 
the initial state in the model. The only restriction is that these numbers are 
all larger than 0. 

2. Select the initial interval within the full range randomly, but the length of 
the initial interval should not be less than (2^® — l)/4. 

3. Select a secret 16-bit substitution with key size 16 bits, which is used to 
substitute for the first 16-bit output of the encoding. 

4. Choose two secret parameter pairs (£°,£°) and (ej.el) which are used to 
shrink the current interval controlled by a random 64-bit string cyclically, 
where the four parameters are different. 

3.3 The Key Size 

Firstly, 96 bits can be used to indicate the initial state. There are 96 symbols 
with exact meaning in the extended ASCII set in text compression, so 96 bits 




Xian Liu, Patrick Farrell, and Colin Boyd 



are enough to indicate the initial state. If the bit is 0 set the count of the symbol 
to 2, otherwise to 3. Set the counts of the remaining 160 symbols to be 1. The 
total number of different initial states in the model is 2®®. Secondly, 32 bits can 
be used to indicate the initial interval. The initial interval can be indicated by 
determining low and high, or low and range, so 16 bits are used to indicate one 
of them and 32 bits for both. The number of all of the valid initial intervals is 
2^*^. Thirdly, 40 bits can indicate the shrinking parameters, e] is chosen to be 4 
decimal digits in the form of 0.0*** and is chosen to be 4 decimal digits in 
the form of 0.9***. The unknown part in every parameter ranges from 0 to 999, 
so 10 bits are necessary to indicate each of them. And then, we use 64 bits for 
the random control string. Finally, 16 bits are used for the 16-bit substitution 
key size. A secret 16-bit substitution with key size 16 bits is preferable. So the 
total key size for the scheme is 248 bits. It should also be pointed out that in 
our basic scheme, the second shrinking for the low is based on the new interval 
resulting from the first shrinking for the high. 

3.4 Communication Protocol 

Protocol 1: The final state in the model during encoding of the current message 
becomes the initial state of the model to encode the next message, and during 
the lifetime of using the same key the model will be initialised regularly. When 
encoding the current message is finished, shift the cyclic shift register storing the 
64-bit random string one step and the next bit will become the first control bit 
to control the first shrinking in encoding the next message. Whenever finishing 
the encoding of the current message, all of the rest will be initialised. 

This protocol has the advantage that the initial model to encode the next 
message is relevant to all of the messages which have been sent since initialisation. 

Protocol 2: The only change compared with protocol 1 is that whenever 
encoding is finished, the model is re-initialised. 

Protocol 2 on its own definitely denies the Berger-Hogan attack because the 
attack is unable to find the initial state in the model. Until now the Bergen- Hogan 
attack is the only powerful approach to attacking arithmetic coding encryption 
algorithms, so protocol 2 is preferable. 



3.5 The Strength 

In the Bergen-Hogan attack the attacker knows he matches the keying materials 
only when he successfully decodes the test string. To use the Bergen-Hogan at- 
tack on our proposal, the associate’s strategy is the same as that to attack with 
the Witten-Cleary proposal, but the attacker’s work will be increased dramati- 
cally. In order to decode the test string the attacker has to find the first symbol’s 
frequency count in the standard form, the initial interval, the substitution, the 
pairs (e°,£°) and (e°,e°) , and the 64-bit control string all together, instead of 
just trying the first symbol’s frequency count in the standard form 2 times in 
breaking with the Witten-Cleary proposal. The attacker has to try to decode 
the test string 2^^ 2^° 2^® 2^® 2^® 2®^ = 2^®® times. Partially finding 




A Unified Code 



89 



the keying materials is also very difficult. The reasonably simplest way for the 
attacker would be to firstly find the first symbol’s frequency count in the stan- 
dard form together with the initial interval. For this purpose the attacker only 
needs to decode the first symbol in the test string, but he has to try decoding 
214 230 2io 2^0 = 2^0 ^imes. 

It has been shown in [8, 9] that compared with the WNC first order adaptive 
implementation, the compression ratio of our scheme is only 2 % worse and the 
running time is slightly less than double of that of the WNC implementation. 
Furthermore, the encoded files with our scheme have very good randomness. 
Changing any number of bits in the file to be encoded results in the fact that 
from the position in the encoded file that the first changed bit corresponds to, 
then in the subsequent output, if this encoded file is compared with the encoded 
file resulting from the totally unchanged original file to be encoded, the changed 
bits and unchanged bits take the probabilities 0.5, and distribute uniformly and 
randomly. Furthermore, the outputs of our scheme and the files of the bitwise 
modulo 2 addition of the output of our scheme and the outputs of our scheme 
with the key being changed randomly, as well as the file of the bitwise modulo 
2 addition of the output of our scheme with the file to be encoded in which one 
bit near the beginning was inverted and the output of our scheme with the un- 
changed file to be encoded have passed the frequency test, the binary derivative 
test, the change point test, the poker test, the runs test, the sequence complexity 
test, the linear complexity test, and Maurer’s universal test (the statistical test 
software Crypt-X [5] is from the Information Security Centre at the Queensland 
University of Technology), and also there is no statistical difference between the 
output from our modified scheme and that from the DES. So good plaintext 
diffusion and ciphertext avalanche are achieved. Also, in the modified scheme, 
the keying materials have very good effects on balance, diffusion, completeness, 
and avalanche. 

It has also been shown in [8, 9] that a general approach to attacking our 
scheme is difficult and our scheme can resist other related attacks [4, 6] to arith- 
metic coding encryption algorithms. In fact, if the model our scheme works 
with is a fixed binary model with known symbol probabilities, and the initial 
substitution is ignored, and also the scheme works with theoretical arithmetic 
coding, finding the key is equivalent to solving two polynomial equations with 
70 variables and degree 256. However, this analysis is based on a much simplified 
fixed binary model and with ideal theoretical arithmetic coding. Practically, our 
scheme works with the Witten-Cleary first order adaptive model with alphabet 
size 256. So far, there has not been any method to trace the evolution of the 
adaptive model. Also our scheme works with Witten-Cleary implementation for 
arithmetic coding. Quite a few practical strategies in the implementation make 
the coding procedure much more difficult to trace than in theoretical arithmetic 
coding. In fact, there are a number of main differences between the scheme with 
theoretical arithmetic coding with a fixed binary model and the scheme with 
WNC first order adaptive arithmetic coding. Firstly, for the WNC first adap- 
tive arithmetic coding, there is no way to find the exact current state in the 




90 



Xian Liu, Patrick Farrell, and Colin Boyd 



adaptive model. One may argue that as the uncertainty of the current state in 
the adaptive model, if a chosen plaintext attack is used and the secret shrinking 
parameters, the initial interval, and the secret control string as well are known, 
totally depends on the secret initial state in the model, after encoding a huge 
known file the effect from the initial model is trivial; i.e., it can be converted 
from any known initial model. However, this is not true with WNC first order 
adaptive model. Approximation does not make any sense unless the two current 
states are the same in arithmetic coding. Secondly, WNC adaptive arithmetic 
coding uses 16-bit finite precision. That means it has to expand the current in- 
terval after encoding (decoding) one symbol. Such expansions are unpredictable 
and untraceable with our scheme. Therefore, such a regular relation between 
the input and the output in the encoder definitely does not hold in our scheme 
with WNC adaptive arithmetic coding. One thing clear is that if a mathemat- 
ical relation exists in WNC adaptive arithmetic coding it must be much more 
complicated. 

4 A Scheme Providing Encryption, Error Detection, and 
Data Compression All Together 

In arithmetic coding, the decoding is successful only when the current interval in 
the decoding is identical to that in the encoding and the current state in decoder’s 
model is the same as that in encoder’s model. In case the current interval or the 
current state in the model in the decoder is not the same as that in the encoder, 
the whole subsequent encoded file would be unable to be recovered. That is, 
even a single bit error appearing in transmission would probability corrupt the 
remainder of the file. So the problem with the compressed data is that it is 
highly susceptible to transmission errors. The better the compression achieved, 
the more serious the effect will be. In practice, error control techniques will have 
to be used to prevent transmission errors and to provide arithmetic coding with 
a completely noise free channel. 

In fact, it is not difficult to introduce redundancy into arithmetic coding. An 
obvious way to introduce redundancy into arithmetic coding is to shrink the cur- 
rent interval in some way: after encoding a symbol or periodically. This method 
is equivalent to the method demonstrated as follows, because to add the same 
amount of redundancy periodically is the same as to encode an extra symbol 
with fixed probability periodically. Besides the adaptive compression model, we 
use an additional fixed model, in which there are only two symbols: the check 
symbol and the forbidden symbol. The check symbol is encoded periodically af- 
ter one or several symbols from the adaptive compression model is encoded, and 
the forbidden symbol is never encoded. In decoding, the compression and check 
models are used alternately. If the forbidden symbol is decoded, an error has 
occurred. Redundancy can be controlled by varying the probability of the check 
symbol. Like convolutional codes, the redundancy is spread evenly through the 
message and errors may be detected soon after they occur. The error control 
performance will be related to how frequent the check symbol is encoded as well 




A Unified Code 



91 



as how much the current interval is shrunk or the probability of the check symbol 
arranged in the fixed check model. 



4.1 The Scheme 

The third author of this paper proposed a scheme [3] which provides both error 
detection and data compression. The strategies he used are to shrink the current 
interval by a fixed amount after encoding (decoding) every symbol, to add an 
extra final check symbol after encoding (decoding) the EOF symbol to detect 
errors at the end of the file, and to exclusive-or every adjacent pair of output 
bits to be able to detect single isolated error bits. It was declared in [3] that the 
scheme could detect all single isolated error bits. 

In order to provide error detection in our basic scheme as well, it is definitely 
necessary to introduce some kind of redundancy into the encoding procedure. In 
our basic scheme we shrink the current interval twice after encoding (decoding) a 
symbol, which is one of our main steps to insert the secret key. It is our opinion 
that we have already added appropriate redundancy in the coding procedure 
even though it was not intended for error detection. We also think that it is not 
necessary to exclusive-or adjacent pair of output bits, but we do need to encode 
an extra final check symbol at the end of each file. 

Compared with our basic scheme we only need to encode an extra final check 
symbol after encoding the EOF symbol for each file to achieve encryption, data 
compression, and error detection all together in a one-pass operation, with almost 
no extra price. 



4.2 Performance 

We have done exhaustive tests for the performance of the error detection abilities 
of our scheme. The decoder always succeeds in detecting the first error bit and 
stops after a short delay. We have also found that the extra final check symbol 
is very effective in detecting any errors at the end of the file. The error detection 
performance of this scheme is independent of the error probabilities. 

In the formal test, the file tested is bookl.html from the Calgary Corpus with 
size 768771 bytes, which is a typical English technical report, and the compressed 
size is 451729 bytes; the compression ratio is 59%. Random errors are inserted 
to construct four groups of error probabilities: i/1000000 i = 1,2,..., 999 , 

i/100000 i = 1,2,..., 999 , i/10000 i = 1,2,..., 999 , and i/1000 i = 
1,2,..., 1000 , which result in about 4000 different values of error probability 
ranging from 10^® , step by step, to 100%. According to these error probabilities, 
random errors are inserted into the encoded file, resulting in about 4000 error 
corrupted encoded files. The decoder succeeds in detecting the first error bit in 
all of the 4000 files after a short delay. The mean value of the delay is 92.88 
bits and the standard deviation of the delay is 95.16 bits. That means, in the 
exhaustive test, the decoder always finds the first error inserted after a delay of 
around 92.88 bits. 




92 



Xian Liu, Patrick Farrell, and Colin Boyd 



The experimental results from the exhaustive test allow us to predict that 
the scheme can detect most if not all error patterns inserted from the channel, 
independent of the error probabilities. This is in contrast to the fact that in the 
original arithmetic coding scheme the decoder cannot usually detect errors. 

It is necessary to compare the performance of our scheme with the perfor- 
mances of dedicated standard error detection codes. Traditionally, the dedicated 
error detection codes are cyclic redundancy check codes (CRC), such as lEC 
TC57, IEEE WG77.1, ANSI, IBM-SDLC, and CCITT X.25, because cyclic codes 
are very effective in detecting burst errors [7] . 

The CCITT X.25 CRC code has the generator polynomial: 

G{x) = + 1. 

The minimum distance of this code is 4. In a block length up to 32768 bits 
it can detect: all triple or fewer random errors, all odd numbers of errors, all 
bursts of length up to 16, and 99% of all other longer bursts. However, there are 
many combinations of error patterns of even weight that the code cannot detect 
and that means it can only detect 50% of all of errors. So the error detection 
performance of our scheme is even better than that of the dedicated standard 
cyclic redundancy check codes. However, in addition, our scheme can provide 
both encryption and data compression. 

5 Conclusions 

In this paper we present a scheme that can provide data encryption, data com- 
pression and error detection all together in a one-pass operation. The scheme 
is based on WNC implementation for arithmetic coding in which a first order 
adaptive model is used. The total key size is 248 bits. The statistical properties 
of our scheme are very good. Attacking this scheme is difficult. The compres- 
sion ratio is about 2% worse than WNC implementation for arithmetic coding. 
The scheme can detect almost all patterns of errors inserted from the channel, 
independent of the error probabilities. 

References 

1. Bell T., Cleary J., and Witten L: Text compression, Prentice Hall, 1990. 

2. Bergen H. and Hogan J.: “A chosen plaintext attack on an adaptive arithmetic 
coding compression algorithm”. Computers and Security, Vol. 12, 1993, pp. 157- 167. 

3. Boyd C., Clearr J., Irvine S., Rinsma-Melchert L, and Witten L: “Integrating error 
detection into arithmetic coding”, IEEE Trans. COM, Vol. 45, No.l, 1997, pp.1-3. 

4. Cleary J., Irvine S., and Rinsma-Melchert I.: “On the insecurity of arithmetic cod- 
ing”, Computers and Security, Vol. 14, 1995, pp. 167- 180. 

5. Crypt-X, Statistical Package Manual, Measuring the Strength of Stream and Block 
Ciphers. Information Security Research Centre, Queensland University of Technol- 
ogy, 1990. 




A Unified Code 



93 



6. Irvine S. and Cleary J.: “The subset sum problem and arithmetic coding”, private 
communication, 1995. 

7. Klove T. and Korzhik V.: Error Detecting Codes, General theory and their applica- 
tion in feedback communication systems, Kluwer Academic Publishers, 1995. 

8. Liu X., Farrell P., and Boyd C.: “Resisting the Bergen-Hogan attack on adaptive 
arithmetic coding”, LNCS-1355, Cryptography and Coding, Springer, December, 
1997, pp.199-208. 

9. Liu X., Farrell P., and Boyd C.: “Arithmetic coding and data integrity” , Proceedings 
of WCC’99, pp. 291-299, Paris, 11th- 14th January, 1999. 

10. Liu X. and Farrell P.: “Arithmetic coding with error correction”. Proceedings of 
PREP’99, pp. 330-333, Manchester, 5th-7th January, 1999. 

11. Witten I. and Cleary J.: “On the privacy afforded by adaptive text compression”. 
Computers and Security, Vol.7, 1988, pp. 397-408. 

12. Witten L, Neal R. and Cleary J.: “Arithmetic coding for data compression”, Com- 
munications of the ACM, Vol.30, No. 6, 1987, pp. 520- 540. 




Enhanced Image Coding for Noisy Channels 



Paul Chippendale, Cagri Tanriover, Bahram Honary 

Department of Communication Systems 
Lancaster University, Lancaster LAI 4YR, United Kingdom 
I p. C hippendale, c. tanriover, b.honarvl@lancs.ac.uk 
http : / /WWW. dcs . lanes .ac.uk 



Abstract. This paper explores the application of a combined error resilient 
coding scheme to image transmission over time-varying noisy channels. To 
improve performance at low signal-to- noise ratios, turbo coding is incorporated 
into the system. Demonstrated through simulations, this novel combination of 
source and channel coding is shown to correct and restrict errors incurred 
during transmission over Additive White Gaussian Noise (AWGN) and 
Rayleigh Fading channels. The error correcting capability of the coding scheme 
also illustrated with compressed and uncompressed image transmission results 
which are comparable in terms of their visual quality. 



APEL Coding 

Absolute addressed Picture ELement coding (APEL) [1], [2] is a lossless, robust 
image coding system which translates variable sized pixel areas of pre-defined 
dimensions into independent picture blocks (pels). Each pel is issued with two co- 
ordinates, X and y, establishing an absolute location with respect to an origin. 

As the APEL coding technique operates on a binary level, the encoding of n-bit 
grey-scale or colour images employs a Bit Plane Coding (BPC) [2] stage. The BPC 
stage furnishes the APEL encoder with a colour coding sequence to represent a given 
source image in n binary planes. 

Taking each extrapolated binary plane in turn, a recognition algorithm searches 
through each image looking for square areas of black pixels; starting with large 
square pels during the first scan, then repeating this process in multiple passes 
selecting pels of decreasing magnitude. The maximum size of the initial pel is limited 
according to the anticipated nature of the channel, consequently less information is 
lost should corruption occur. Once all of the square pels of an efficient size have been 
removed from the plane, run-lengths of various geometries are used to encode the 
residue. Eig. 1 illustrates an APEL encoded section of an image. Here, it can be seen 
how (x,y) co-ordinates are assigned to pels of various geometries. 



M. Walker (Ed.): IMA - Crypto & Coding'99, LNCS 1746, pp. 94-103, 1999. 
© Springer- Verlag Berlin Heidelberg 



Enhanced Image Coding for Noisy Channels 



95 



Horizontal Resolution, X 




Fig. 1. APEL coded section of an image 



The data-stream created from this process can be pictured as a succession of {x,y) 
addresses, grouped according to pel size and interspersed with control symbols (see 
Fig. 2). These symbols not only serve to provide synchronisation markers, but in 
addition convey pel geometry metrics to the decoder [2], 



Absolute addresses 




Control symbol 


(x,y) 


(x,y) 


(x,y) 


(x,y) 



Control symbol 



Pel parameter and 
synchronisation information 



Fig. 2. Breakdown of APEL data stream 



The APEL scheme alleviates the need for End Of Line (EOL) symbols and, as 
each codeword is independent, offers a solution to the problems of horizontal and 
vertical error propagation. Additionally, as each pel has its own address, it is possible 
to interleave them within the transmitted data-stream. This versatility can be utilised 
in many ways, for example: pels pertaining to important image detail can either be 
dispersed throughout the data-stream or transmitted at the start depending on channel 
conditions or operator preference. 



Application of Turbo Coding to APEL 

Turbo codes [3] are forward error correction schemes which employ concatenated 
component codes, interleaving and iterative decoding principles to achieve bit error 
rate performance close to the Shannon limit. Decoding is performed by the sub- 
optimal log-Maximum Aposteriori Probability (MAP) algorithm [4], which improves 





96 



Paul Chippendale, Cagri Tanriover, and Bahram Honary 



the accuracy of the decoded information symbols through a set of iterations where 
soft extrinsic information is passed between the component decoders. 

In this paper, a turbo encoder with parallel concatenation is incorporated into an 
APEL system. The turbo codec implemented is composed of two recursive systematic 
convolutional component codes, of rate Vi and constraint length 3 . In general, the use 
of systematic convolutional codes provides robustness against decoding errors by 
decreasing the minimum free distance of the code. As a consequence of minimising 
the free distance, the error correction capability of the system improves. It is this 
feature of systematic convolutional codes that prevents catastrophic error 
propagation. 

It should also be noted that the turbo decoder used in this coding scheme is 
designed to correct random errors only, hence the majority of burst errors 
encountered during transmission cannot be corrected. 



Results 

To demonstrate the benefits gained and also to provide benchmarks for comparison, 
in addition to incorporating turbo coding into an APEL system, we also concatenated 
the aforementioned turbo codec onto JPEG [5] and bitmap (BMP) file formats. 
Simulations over AWGN channel, at various signal-to-noise ratios, attest to the 
excellent performance of the APEL-turbo combination compared to the application of 
turbo coding onto JPEG and BMP file formats. The results presented in this paper 
were obtained from simulations conducted using an interleaver length of 8000 bits 
and performing 16 decoding iterations. 




Fig. 3. Turbo coded image transmission over AWGN channel Turbo coded JPEG (o). Turbo 
coded BMP (+), Turbo coded APEL (*) 





Enhanced Image Coding for Noisy Channels 



97 



Visual effects of bit errors can be assessed in terms of pixels. Therefore, the error 
performance of the images was presented in a ratio called “Pixel Error Rate (PER)”, 
which indicates the degree of image degradation. 

Through the analysis of the i* received pixel’s variance from its transmitted value, 
a measure of visual disturbance, Aj, can be quantified as in (1), where t. and r. 
represent the transmitted and received pixel colours respectively, for an n colour 
image. 



A, =■ 



( 1 ) 



Erom (1) it follows that the PER is calculated as in (2), 



PER = 



1 

XY 






( 2 ) 



where X and Y are the horizontal and the vertical resolution of the image, 
respectively. 

As Eig. 3 shows, the performance of the Turbo- JPEG scheme is very poor in the 
1.0 - 1.4 dB range. This is due to the inherent fragility of the JPEG structure and its 
inability to correct or restrict the propagation of any errors. 

As expected, the performance of the BMP-turbo scheme is good throughout the 
range. This results from the complete independence of all pixels from one another. 
Hence, when errors cannot be repaired by the turbo decoder, only pixels with 
corrupted bits are affected. 

Finally, as Fig. 3 clearly indicates, performance close to, and, as the channel 
improves, surpassing that of the BMP-turbo model is achieved by the turbo coded 
APEL. In the region after 1.175 dB, the post-processing techniques employed by 
APEL [2] recover many of the damaged pixels which could not be corrected in the 
case of BMP. 

To observe the visual impact of data errors, samples of the various file formats 
have been decoded at a signal-to-noise ratio of 1.175 dB (Fig. 5-Fig. 7). To provide a 
qualitative reference for comparison, an uncoded version of the BMP file transmitted 
over the same channel has been included (Fig. 4). 

In this example, although the PER is the same for images in Fig. 6 and 7, the 
subjective quality of the latter is slightly better. This results from the less frequent and 
clustered nature of the pixel errors in the APEE image, and the effects can be seen in 
more detail in the magnified areas in these figures. 

Since the APEL image coding scheme is lossless, the compression level relating to 
the JPEG format was reduced to provide a fair comparison, although even at this 
minimal level of compression the JPEG image was found to be greatly modified 
pixel-wise from that of the source. The attained compression ratio for these two 
formats, APEL and JPEG, was nevertheless still around 3 to 1, offering a substantial 
reduction over uncompressed BMP data. 




98 



Paul Chippendale, Cagri Tanriover, and Bahram Honary 







Fig. 4. Uncoded BMP image transmitted through AWGN channel at 1.175 dB 



Fig. 5. Turbo coded JPEG image transmitted through AWGN channel at 1.175 dB 







Fig. 7. Turbo coded APEL image transmitted through AWGN channel at 1.175 dB 




100 



Paul Chippendale, Cagri Tanriover, and Bahram Honary 



Turbo coded JPEG, bitmap and APEL images were also transmitted over a 
Rayleigh channel with a maximum of 200 burst errors introduced randomly in each 
interleaver block. Eigures 9 through 11 illustrate the system performance in the 
presence of burst errors. The uncoded BMP image has also been included to provide 
an insight into channel conditions (Pig. 8). Unlike the Gaussian channel, errors in the 
more severe Rayleigh case made for unreliable and inconsistent PER plots. It was 
observed that the dynamic range of the decoded image quality was wide in this case. 

Due to the severe effects of burst errors, Turbo-JPEG fails to maintain data 
integrity and synchronisation after decoding (Pig. 9). The fragile structure of 
Huffman coding stage makes it almost impossible to withstand such channel 
conditions. In addition, since the turbo decoder is unable to correct burst errors, 
image transmission with Turbo-JPEG becomes very unreliable. 

As illustrated in Pig. 8, channel errors are introduced as both randomly and in 
bursts. The Turbo-BMP scheme (Pig. 10) was observed to eliminate the majority of 
random errors effectively, however the majority of burst errors remained uncorrected. 
In other words, this scheme behaved similar to a ‘burst-pass filter’, where erroneous 
pixels appeared as trails of various lengths after decoding. 

Turbo-APEL (Pig. 11) performance in the presence of burst errors, is visually 
comparable to that of Turbo-BMP (recall that the APEL image has 3:1 compression!). 
Channel errors which affect pels from various bit planes can be corrected through an 
analysis of the other planes. In other words, the post-processing techniques 
introduced by APEL coding, provide a powerful means of interpolating pixels using 
valid image information. Hence, the output of the ‘burst-pass filter’ can be further 
processed to correct more pixel errors than in the other cases. However, as the 
number of burst errors per information block is increased, distortion in APEL images, 
as anticipated, remain noticeable despite the post-processing. 

Secondly, the interleaving stage in APEL coding, distributes pixel errors across the 
entire image (Pig. 11). Visually, small clustered errors are less disturbing to the eye 
than erroneous pixel trails (Pig. 10). 



Conclusions 

We have proposed the combination of APEL and turbo coding in order to produce an 
enhanced image transmission system for low signal-to-noise ratios. Moreover, images 
in Pig. 6 and 10 require more bits to encode and transmit than images in Pig. 7 and 
Pig. 1 1 ; further underlining the advantages of the APEL turbo scheme outlined here. 

Even though APEL coding is used with a Turbo decoder that is not powerful 
enough to correct burst errors, the second interleaving stage in APEL is seen to 
minimise the visual impact of errors. This visual improvement is achieved by the 
spreading of burst errors across different bit planes, which provides an interleaver 
gain at the decoder. 




Enhanced Image Coding for Noisy Channels 



101 




Fig. 8. Uncoded BMP image transmitted through Rayleigh channel at 4.0 dB 




Fig. 9. Turho coded JPEG image transmitted through Rayleigh channel at 4.0 dB 





12 







Enhanced Image Coding for Noisy Channels 



103 



In addition, within the APEL image, whilst the majority of bit errors are corrected 
via iterative decoding, any which evaded detection (and thus perhaps falsely inserted 
as erroneous pixels) are restricted as a result of the robust data structure. 

The novel combination of source/channel image coding technique, in this case 
APEL, with additional channel protection provides not only a resilience to Gaussian 
type errors, but also offers a powerful tool for the restriction and correction of burst 
errors. 

To conclude, this approach can be further explored to develop integrated coding 
techniques, which could provide more reliable image communication means for noisy 
channels. 



Acknowledgements 



The authors wish to thank DERA Malvern and NDS Ltd for their financial and 
technical support. 



References 



1. Chippendale, P., Honary, B., Arthur, P. and Maundrell, M.: International Patent Ref.: PCT 
GB 98/01877, ‘Data Encoding System’, 1999 

2. Chippendale, P.: ‘Transmission of images over time- varying channels’, PhD Thesis. August 
1998 

3. Berrou, C., Glavieux, A., Thitimajshima, P.: ‘Near Shannon Limit Error Correcting Coding 
and Decoding: Turbo-Codes’, IEEE Proc. ICC ’93 Geneva. Switzerland. May 1993, pp. 
1064-1070 

4. Hagenauer, J., Offer, E., Papke, L.: ‘Iterative Decoding of Binary Block and Convolutional 
Codes’, IEEE Transactions on Information Theory, Vol. 42, No. 2, March 1996 

5. International Organisation for Standardisation.: ‘JPEG Digital Compression and Coding of 
Continuous-Tone Still Images’. Draft ISO 10918 . 1991 

6. NewScientist: ‘The sky’s the limit’, No.2193, 03.07.1999, pp. 6 




Perfectly Secure Authorization and Passive 
Identification for an Error Tolerant Biometric 

System 



George I. Davida^ and Yair FrankeP 

^ Center for Cryptography, Computer, and Network Security, 
University of Wisconsin- Milwaukee, USA. 
davidaOcs . uwm . edu 
2 CertCo Inc., New York, NY, USA. 
yfrankelQcs . columbia.edu, yfrankelOcryptographers . com 



Abstract. A biometric identification system was recently developed and 
analyzed as a secure mechanism for user authentication. The system pro- 
vided for the confidentiality, without the use of cryptographic encryption, 
of the user’s biometric information stored in public verification templates. 

Here we demonstrate that the use of majority decoding can enhance the 
prior techniques in several ways. One enhancement allows the biometric 
authentication system to leak no information about a user’s biometric 
when using the proper computational assumptions. Another enhance- 
ment is a passive identification system. 



1 Introduction 

An Iris scan is a biometric technology which uses the human iris to authenticate 
users [BAW96, HMW90, Dau92, Wil96]. This technology produces a 2048 bit 
user biometric template such that any future scan of the same user’s iris will 
generate a “similar” template. By similar, we mean having an acceptable Ham- 
ming distance within a predefined range, usually up to ten percent of the size of 
the code (e.g., Hamming distance between original reading and future reading 
is set to be in the range from 20 to 200). Moreover, the Hamming distance for 
the biometric readings of two different users has been shown to be much higher, 
about 45 percent (or 921 bits). 

One can think of a biometric reading of a user as a faulty communication 
channel which may introduce a limited number of errors. Informally the typical 
biometric system works in the following manner. A user’s biometric template 
is registered. A future reader compares the newly generated template with the 
registered template to test for closeness. With respect to iris scan technology 
closeness is measured by the Hamming Distance. 

In the work [DFM98], the feasibility of protecting the privacy of a user’s bio- 
metric and other security features were studied. It was suggested that providing 
additional privacy for the user’s biometric may provide for stronger user accep- 
tance. (For instance, an iris template may be used to determine some medical 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 104-113, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




Perfectly Secure Authorization and Passive Identification 105 

conditions by an insurance company instead of the legitimate identification pro- 
cess the user submitted to.) The objective in [DFM98] was to allow protection 
of a user’s biometric information in unprotected devices (such as a magnetic 
strip) or in a publicly accessible database (such as in a public key certificate). 
To address scalability concerns, private keys by the user or the reader was not 
used. Also, encryption is prone to loss of the cryptographic keys from the reader 
(i.e., the loss of a single key compromises every user). 

Providing for authorization bound to a biometric template appears to be 
inherently difficult in this model, because the user’s biometric template cannot 
exist in the clear on the storage device. To eliminate the need for storage of the 
biometric (in the clear or encrypted form), a new verification algorithm had to 
be developed. 

The primary tools of the work of [DFM98] were error correcting codes (in- 
cluding majority decoding) and cryptographic methods. Later, the effectiveness 
of majority decoding was further analyzed by [DFMP]. Due to the effectiveness 
of majority decoding we are able to even further improve the error correcting 
codes (ECC) /Crypto based biometric system. 



1.1 The Result 

We enhance the system of [DFM98] in two ways: 

— Though a biometric reading contains significant errors with respect to the 
original reading, we show how to use a biometric scan as an index in order to 
provide a scalable passive user identification system. By passive identification 
system we mean it can uniquely identify a user from a set of registered users 
through the use of only a biometric scan and no other input. 

— We develop a system with perfect information preservation. The scheme in 
[DFM98] leaks approximately as many bits, in an information theoretical 
sense, as there are redundancy (error correcting) bits to correct errors in a 
biometric template. However, there was no way to quantify what kinds of 
bits are leaked and under what assumptions. Here we demonstrate that in 
a computational model, majority decoding can be used in a manner that no 
information is leaked with sufficiently high probability. 

2 Background 

2.1 Error Correcting Codes 

Majority decoding: In the rest of the paper, we will consider only binary error 
correcting codes. We will denote by a 6 the concatenation of two strings a,b. 

Let Vi = ■ ■ ■ , Vi,n be n bit code vectors. Given odd M vectors Vi, 

a majority decoder computes vector V = {Vi.Va ■ ■ ■ ,Vn , where 



Vj = (majority(uij, . . . , vmj) , 




106 



George I. Davida and Yair Frankel 



i.e., Vj is the majority of O’s or I’s of bit j from each of the M vectors. We shall 
use majority decoding primarily to get the best biometric reading possible, thus 
reducing the Hamming distance between successive final readings V. 

In the biometric authentication protocol, described in Section 2.2 the bio- 
metric being measured will be estimated by sampling since the actual unique 
iris is not measured with precision. The samples that are taken of the iris will 
converge to the actual unique individual biometric, with majority decoding, with 
high probability. 

Error correction: An [n, k, d] code [Ber68, MS78, PW88] is a code of n bit 
codewords (vectors) where k is the number of information digits and d is the 
minimum distance of code. Such a code can correct at least t = (d — l)/2 errors. 

Note: Bounded distance decoding: In the rest of the paper, we assume 
that the decoding performed at the point of verification is to correct at most 
(d — l)/2 errors. This is necessary to ensure that no bogus biometric is decoded 
into a valid one. Bounded distance decoding can be readily implemented through 
a simple count of the Hamming weight of the error vector computed. In some 
decoding schemes, the error locations that are computed are the roots of some 
polynomial a{z) over GF(2™) of degree t = degree{a{z)). If t > t = (d — l)/2 
then the biometric is rejected. 



2.2 An Error Correcting Based Biometric System 

The primary observation of [DFM98] is that a user’s biometric template can 
be viewed as the information bits of an error correcting code. Now instead of 
storing the biometric template only the error correction bits are necessary on 
the storage device, a magnetic strip card for simplicity^. Since only the check 
bits are stored on the user’s card, the available information about the biometric 
template is reduced. On the other hand, the reader can take a new reading of 
the user’s biometric template, append the ECC check bits, remove the errors 
using bounded distance decoding, and finally, with high probability, reproduce 
the original template, which can be verified with the signature on the token. 

One other hurdle has to be overcome to provide security. The signature may 
itself leak the user’s template. Observe that (M, SIG(M) — is a signature for 
message M which leaks all bits of M, yet is a valid signature of M. To resolve 
this problem, special hash functions were used in [DFM98]. 

Here is a brief summary of the basic off-line biometric protocol presented 
in [DFM98]. 

System Setup: The authorization center generates its public and private keys 
and disseminates its public key to the biometric readers. The system also sets 
up an [n, k, d] code. 

User Initialization: To register, M biometric templates of length k are inde- 
pendently generated for the legitimate user. Majority decoding is then applied to 

^ A smartcard, a database record, a public certificate can be stored as well. 




Perfectly Secure Authorization and Passive Identification 



107 



the M biometrics to obtain the user’s k bit template T. Given the k information 
digits T, an n digit codeword T-C is constructed, where C are the check digits, 
in the [n, k, d] code defined at system setup. A storage device is constructed with 
the following information: 

1. Name of the individual, NAME. 

2. Other public attributes ATT, such as the issuing center and a user’s access 
control list. 

3. The check digits C, of the biometric. 

4. Sig(Hash(NAME, ATT, T-C)) where Sig(x) denotes the authorization offi- 
cer’s signature of x, and Hash(^ is a partial information hiding hash func- 
tion [Can97] (e.g., Sig(Hash(^) is a content-hiding signature) or a random 
oracle (See [BR93]). 

Biometric verification process: When a user presents herself/himself and the 
card with the information described above, M biometric templates are inde- 
pendently generated for the user. Majority decoding is applied to the M bio- 
metric vectors to obtain the user’s k bit template T . Error correction is per- 
formed on codeword T -C to obtain the corrected biometric T . The signature 
Sig(Hash(NAME, ATT, T -C)) is then verified. Successful signature verification 
implies the user passed the identification step. For simplicity of exposition, we 
assume that occasional rejection of a valid user is acceptable (the user would 
simply repeat the scan). In applications where rejection of a valid user is not 
acceptable, the parameters of the system can be changed so that such an event 
has negligible probability. Determining the correct parameters in such a case in- 
volves bounding the area under the tail of a binomial distribution (or a Normal 
approximation to the binomial distribution via the Central Limit Theorem). 

Proof of security and in particular the choice of hash functions were discussed 
in [DFM98]. Moreover, the usefulness of majority decoding to detect impostors 
was discussed in [DFMP] 

3 New Techniques 

We now discuss the two new techniques: perfect confidentiality and passive iden- 
tification. The new techniques are based on the following observation: Given a 
2048 bit iris code, majority decoding is used on a sufficient number of samples 
to reduce the expected number of errors to a small number, e.g. 1 per block of 
2048 bits. 



Expected 



No. of Per bit prob. 
scans of error 


no. of errors 
in a 2Kb scan 


1 


0.1 


205 


3 


0.028 


58 


11 


0.000306 


1 


21 


0.00000135 


.002 




108 



George I. Davida and Yair Frankel 



Once a reduced-error iris code is obtained using majority decoding, we con- 
struct D indices Ij,l — j — D from I-SIZE subsets of T with the GEN-Index 
function as follows: 

Step 1 Set j = 0 
Step 2 Set j = j + 1 

let Xj = PermutedChoice{j,T) be I-SIZE bits of the bio- 
metric T selected with schedule PC, where I-SIZE is cho- 
sen so that the entropy of the Xj bits is sufhcient( e.g. Eor 
an iris scan as described above if I-SIZE=600 bits, then, 
assuming that the biometric has an entropy of 160, the en- 
tropy of Xj, on average, satisfies H{Xj) = 53). 

let Ij = hash(Xj) 

Step 3 if {j < D) goto 2 else exit. 

These indices Ij are pointers to the database locations where the user tem- 
plates are stored. Collisions with other iris codes is dealt with by performing the 
checks to be described later. 

Two important observations can be made. Eirst, with high probability at 
least one index is error free (See Majority Decoding in section 2.1). Second when 
hash(^ has same the information hiding property as those used in [DFM98] 
(see [Can97] as an example) and Xj has sufficient entropy, the Ij leak no useful 
information about the iris. 



3.1 Passive Identification 

In a passive identification system the user is uniquely identified with only the 
biometric reading and without any other inputs from the user. Hence the user 
does not provide an ID number or other inputs via a keyboard or a smart card. 
Once the user’s biometric is read, the user must be uniquely identified to obtain 
a user id. This may be done by a linear search through a database of registered 
biometric/user attributes relationship database. However, in practice a linear 
search is not scalable for applications with a large user base. 

In a biometric system, such as iris scan, there exists variances from the origi- 
nal registered reading with a later acquired reading. Because of the variances, it 
is not possible, in general, to use biometric systems as a scalable passive identifi- 
cation systems. Scalability becomes difficult because if the reading is faulty and 
lacking any other input from the user due to the passive nature of the identifica- 
tion scheme, the biometric can no longer be an index into a registered template 
database and therefore only linear searches are generally possible. 

As discussed above, we note that using majority decoding with iris scan 
technology one is able to reduce the number of errors to a negligible amount. 
This is based on observations that the errors in successive readings of a biometric 
differ in positions that are randomly distributed over the iris code, with about 10 
percent Hamming distance between success readings, on the average. Assuming 




Perfectly Secure Authorization and Passive Identification 109 

that the errors are random over the code: they can be reduced through majority 
decoding of M independently read iris code vectors. 

Let T be the template for an individual who presents to the authorization 
center. For each such user, we construct D indices Ij,l — j — D, of size I-SIZE 
as described above, which are pointers to the location of the record. Standard 
hashing techniques can be used to produce the indices. 

We now define the following identification system: 

To register, M biometric templates of length k are independently generated 
for the legitimate user. Majority decoding is then applied to the M biometrics 
to obtain the user’s k bit template T. Given the k information digits T, an n 
digit codeword T-C is constructed, where C are the check digits, in the [n, k, d] 
code defined at system setup. In the secure database the following information 
is stored: 

1. Name of the individual, NAME. 

2. Other public attributes ATT, such as the issuing center and a user’s access 
control list. 

3. The check digits C, of the biometric. 

4. Hash(NAME, ATT, T-C) where Hash(^ is a partial information hiding hash 
function [Can97]^. 

The database is set up so that the indices Ii, . . . , Id created from T with the 
GEN-Index function link to the created record. 

Passive identification process: During verification, when a user presents her- 
self/himself, the verification unit performs the following steps 

Step 1 Set i = 0, M biometric templates are independently generated for 
the user. Majority decoding is applied to the M biometric vectors to 
obtain the user’s k bit template T . 

Step 2 Set i = i + 1, Construct index fi with the GEN-Index function on 
input T . 

Step 3 The records pointed to by indices I-, containing the check digits and 
hash value, are requested. Let Ci be the check digit in record indexed 
by . Each set of check digits Ci is then used along with T to produce 
a new corrected biometric . 

Step 4 The hash value Hash(NAME, ATT, -G) is then compared for equal- 
ity with the hash value received. 

Step 5 If success, exit (success) 

Step 6 If t < D go to 2 else exit (failure) 

Successful verification implies the user passed the identification step. The 
NAME and the ATT fields identify the user uniquely. Observe that with over- 
whelming probability at least one of the indices will be correct. In fact, there 

^ A signature, private key authentication, hash, etc. can be used as well depending 
on the security model. 




no 



George I. Davida and Yair Frankel 



will most likely be multiple indices pointing to the same record. To reduce the 
number of queries into the database those records pointed by the most indices 
should be tested first. 



3.2 Perfect Secrecy 

User acceptance is vital for any biometric system to be effective. However, most 
systems reveal information about the user in the registration template. Systems 
based on the iris measurements may be particularly sensitive to revealing health 
information in the template. 

In [DFM98, DFMP], the protocol presented leaks only as much information as 
the error checking bits included in the template. However, this is an information 
theoretical analysis and it does not say anything about information leakage in a 
computational sense. 

What we desire is an identification system that achieves perfect secrecy, with- 
out storing the biometric. Informally, perfect secrecy means that an polynomial 
time adversary given a registration template is unable to compute any informa- 
tion about the user biometric related to the template. 

Here we use a technique very similar to the passive identification. Define 
PRF{., .) to be a Pseudo Random Function with two inputs. We obtain D 
indices as before but this time we store on the user token D tuples {Rj, C for 
1 — j — D, where Cj = PRFj.(Rj) — C and Rj is a random string. This in 
essence encrypts C under each of the keys Ij. 

System Setup: The authorization center generates its public and private keys 
and disseminates its public key to the biometric readers. The system also sets 
up an [n, k, d] code. 

User Initialization: To register, M biometric templates of length k are inde- 
pendently generated for the legitimate user. Majority decoding is then applied to 
the M biometrics to obtain the user’s k bit template T. Given the k information 
digits T, an n digit codeword T-C is constructed, where C are the check digits, 
in the [n, k, d] code defined at system setup. Let h,. . . ,Id be the D indices cho- 
sen as described above. A record (stored on a token to be carried by the user) 
is constructed with the following information: 

1. Name of the individual, NAME. 

2. Other public attributes ATT, such as the issuing center and a user’s access 
control list. 

3. {Rj, Cj— 1 — j — D, where Cj = PRF/^. {Rj) — C, Ij are D indices of size 
I-SIZE and Rj is a random string. 

4. Sigj = 5'z5(Hash(NAME, ATT, T-Gj)), I — j — D, where Sig(x) denotes 
the authorization officer’s signature of x, and Hash(^ is a partial information 
hiding hash function [Can97] (e.g., Sig(Hash(^) is a content-hiding signa- 
ture) or a random oracle (See [BR93]). 

Biometric verification process: When a user presents herself/himself and the 
card with the information described above, the following steps are performed 




Perfectly Secure Authorization and Passive Identification 



111 



Step 1 set j ~ 0 

M biometric templates are independently generated for the user. Ma- 
jority decoding is applied to the M biometric vectors to obtain the 
user’s k bit template T . 

Step 2 j =j + 1 

Compute Ij with the GEN-Index function on input T . 

Compute Cj = PRF//(i?j) — Cj. 

Apply error correction on codeword T -Cj to obtain the corrected 
biometric . 

Step 3 The signature^ Sigj=-5'i3(Hash(NAME, ATT, Tj-Cjjjis then checked. 
A successful signature verification implies the user passed the identi- 
fication step. 
exit(success) 

Step 4 If i < H go to 2 else exit(failure) 

Informally, the reasons this scheme attains perfect secrecy are: Observe that 
. . , {Cd, Ro—SLie multiple encryptions each of C with a key (index) 
with sufficient entropy. That is each key has around 53 bits entropy, as discussed 
above, but more can be added. Now each of the keys (indices) Ij operates on 
a random Rj to provide independence amongst the tuples. If a random oracle 
rather than pseudo-random function is used then the random values Rj are not 
necessarily needed. 

3.3 Passive Identification with Untrnsted Verifier 

In the passive identification protocol above the reader performed the final ver- 
ification process. That is it verified the signature. If it is desired that this ver- 
ification step be performed by the central database holder, without leaking in- 
formation about the user’s biometric, then using a random oracle model we can 
solve this problem by combining the presented techniques. 

As in the passive identification, indices are generated and a user’s informa- 
tion is stored in a manner which allows the indices to point to the appropriate 
data. However, this time the user information is different: 

System Setup: The authorization center generates its public and private keys 
and disseminates its public key to the biometric readers. The system also sets 
up an [n, k, d] code. 

User Initialization: To register, M biometric templates of length k are inde- 
pendently generated for the legitimate user. Majority decoding is then applied 
to the M biometrics to obtain the user’s k bit template T. As in the GEN-Index 
function, let Xj = PermutedChoice{j, T) be the I-SIZE random bits of the vec- 
tor T. Now, for RO(^, a random oracle (see [BR93]), let Tj = T — RO(“0” Atj) 

^ Hashes, private key authentication etc. can be used instead depending on the security 

model. 




112 



George I. Davida and Yair Frankel 



and Ij = RO(“l”^?Cj). Given the k information digits Tj, an n digit codeword 
Tj-Cj is constructed, where Cj are the check digits, in the [n, k, d] code defined 
during setup. In the database we store at a location pointed to by indices Ij: 

1. Name of the individual, NAME. 

2. Other public attributes ATT, such as the issuing center and a user’s access 
control list. 

3. The check digits of the encrypted biometric: Cj, 1 — j — D. 

4. D hashes Hash(NAME, ATT, T-Gj), 1 — j — D, where Hash(^ is a partial 
information hiding hash function [Can97]^. 

Biometric verification process: When a user presents herself/himself, M bio- 
metric templates are independently generated for the user. Majority decoding 
is applied to the M biometric vectors to obtain the user’s k bit template T . 
As in the GEN-Index function, let Xj be the I-SIZE bits of T' selected using 
schedule PC, as described above. The reader sends to the database server tu- 
ples {Ij,Tj— where T-=T — RO(“0”^^) and f = RO(“l”^j). The server 
finds the user’s records from the f. Error correction is performed, for each i, on 
codeword T^-Ci to obtain the corrected biometric by the database server. 
The hashes Hash(NAME, ATT, -Gi) are then checked. Successful verification 
implies the user passed the identification step. For simplicity of exposition, we 
assume that occasional rejection of a valid user is acceptable (the user would 
simply repeat the scan). In applications where rejection of a valid user is not 
acceptable, the parameters of the system can be changed so that such an event 
has negligible probability. The reader is then informed of the success or failure 
of the verification by the central server. 

Observe that the Cj leak no information because all possible Tj are equally 
likely given that RO(^ is a random oracle. For correctness, observe that for valid 
user u with subsequent reading T has an error vector E = T — T . Suppose Xj 
is the “index” without any errors. Then performing error correction on T -Cj = 
T — E — RO{“0'” -Xj)-Gj returns T--Gj because E has low Hamming weight. 
Also note that we use two different random oracles RO(“l”, for the indices, 
and RO( “0” , f, for the keys to encrypt a users template. This allows us to use the 
same bits of the template in two ways without leaking the key (i.e., RO(“0” —Xj)) 
for a key and index RO(“l” —Xj)). 

Computationally Simple Passive Identification: Using the same idea 
as described above a computationally simpler and heuristicly secure mechanism 
can be constructed. At the setup process vectors Tj = T — RO(“0”^Aj) and 
Ij = RO(‘T”^fj), 1 — j — D, are stored. In the biometric verification process 
T is obtained as before. Vectors T- = T' — RO(“0”^A^) and Ij = RO(‘T”^fj) , 
where Xj is created from T as before, using a Permuted Choice schedule, are 
now created. Acceptance occurs when there exists a Tj whose Hamming weight 
is sufficiently close to the retrieved vector Tj, retrieved with f. Observe in 
all the perfect security schemes no additional information is leaked if different 

® A signature can be used as well. 




Perfectly Secure Authorization and Passive Identification 



113 



authorization centers uses different parameters (e.g., PermutedChoice, [n,d,k] 
code, random oracle, etc.). 

In the non-passive case when the user is allowed to provide some information 
to the reader (e.g., a magnetic strip card containing error correction bits for 
the user’s template), to provide for an untrusted verifier then as in [DFM98] a 
hashed biometric template regenerated by the reader can then be used as a key. 
This key can be used as an authentication key for a challenge response where 
challenge is generated by the untrusted verifier. That is, let K = RO(T) be 
stored by the untrusted verifier. Verification is response fxiC) where C is a 
challenge from untrusted verifier or generated by a random oracle, at the reader, 
with some one-time tag (i.e., using inputs such as time, date, random values, 
names, etc.). 



References 



[BAW96] 

[Ber68] 

[BR93] 

[Can97] 

[Dau92] 

[Dau93] 

[DFM98] 

[DFMP] 

[HMW90] 

[MS78] 

[PW88] 

[Wil96] 



F. Bouchier, J. S. Ahrens, and G. Wells. Laboratory evaluation of the iris- 
can prototype biometric identifier. Technical Report SAND96-1033, Sandia 
National Laboratories USA, April 1996. 

E. R. Berlekamp. Algebraic Coding Theory. McGraw-Hill, 1968. 

M. Bellare and R. Rogaway. Random oracles are practical: a paradigm for 
designing efficient protocols. In Proceedings of the 1st ACM conference on 
Computers and Communications Security, 1993. 

R. Ganetti. Towards realizing random oracles: Hash functions which hide 
all partial information. In Advances in Cryptology. Proc. of Crypto’97, 
pages 455-469, 1997. 

J. Daugman. High confidence personal identifications by rapid video analy- 
sis of iris texture. In IEEE International Carnahan Conference on Security 
Technology, pages 50-60, 1992. 

J. Daugman. High confidence personal identifications by a test of statis- 
tical independence. IEEE Transactions on Pattern Analysis and Machine 
Intelligence, 15(11) :648-656, November 1993. 

G. I. Davida, Y. Frankel, and B. J. Matt. On enabling secure applica- 
tions through off-line biometric identification. In 1998 IEEE Symposium 
on Security and Privacy, pages 148-157, 1998. 

G. I. Davida, Y. Frankel, B. Matt and R. Peralta, ’ On the relation of error 
correction and cryptography to an offline biometric based identification 
scheme. In Proceedings of the Workshop on Codes and Cryptography 1999. 
J. P. Holmes, R. L. Maxell, and L. J. Wright. A performance evaluation of 
biometric identification devices. Technical report, Sandia National Labo- 
ratories, July 1990. 

F. J. MacWilliams and N. J. A. Sloane. The theory of error- correcting 
codes. North - Holland Publishing Company, 1978. 

W. W. Peterson and E. J. Weldon. Error Correcting Codes. The MIT 
Press, 1988. 

G. O. Williams. Iris recognition technology. In IEEE International Car- 
nahan Conference on Security Technology, pages 46-59, 1996. 




An Encoding Scheme for Dual Level Access to 
Broadcasting Networks 



Thumrongrat Amornraksa, David R.B. Burgess, and Peter Sweeney 

CCSR, University of Surrey, Guildford, GU2 5XH, U.K. 
t . amornraksa, d. burgess, p.sweeney@ee.surrey.ac.uk 



Abstract. In this paper, we propose an encoding scheme which gives two lev- 
els of access to a broadcast encrypted signal. Watermarking-type techniques 
based on direct-sequence spread spectrum communications are implemented to 
add specific information to the signal within the bandwidth allocated for broad- 
casting. This is beneficial to both the service providers and all subscribers in 
the network since the information added can advertise programmes which 
many are not yet authorised to access. 



1 Introduction 

An advantage of communications over the broadeasting network is that the transmit- 
ted signal from a source station can be received simultaneously by many destination 
stations. Digital TV broadcasting is one of the applications that uses this advantage. 
Sinee some digital TV programmes are pay-TV services, they will be enerypted be- 
fore transmitting to every subscriber. Only the authorised subscribers who pay an 
extra fee can get aceess to those programmes. This technique does not give any value 
at all to other subseribers who have not paid for that particular programme. The allo- 
cated bandwidth is only used for broadcasting the encrypted signal to the authorised 
subscribers, which may be a small group compared to all subscribers in the network. 
It will be more efficient if we can devise an encoding scheme in which the authorised 
subscribers can access the encrypted signal and, at the same time, the other subserib- 
ers can receive something on the same channel, such as an advertisement. However, 
the scheme should not extend the existing alloeated bandwidth. 

In this paper, we propose such an encoding scheme whieh gives two levels of ae- 
cess to the subscribers in the network. Watermarking-type teehniques based on direct- 
sequence spread speetrum communications are implemented to add specific informa- 
tion (i.e. advertisements) to the aceess-limited signal, whieh is protected by eneryp- 
tion techniques. With this seheme, the allocated bandwidth for broadcasting is utilised 
more efficiently and more benefit is given to both the service providers (through 
advertising) and all subseribers in the network (since there will be programmes whieh 
they are not authorised to access but ean see advertised). 

M. Walker (Ed.): IMA - Crypto & Coding'99, LNCS 1746, pp. 1 14-118, 1999. 

© Springer-Verlag Berlin Heidelberg 1999 




An Encoding Scheme for Dual Level Access to Broadcasting Networks 



115 



2 Description of the Scheme 

In spread spectrum (SS) communications [1], a low level wideband signal can easily 
be hidden within the same spectrum as a high power signal where each signal appears 
to he noise to the other. The heart of these SS systems is a pseudo-random binary 
sequence (PRBS). For these direct sequence SS systems, the original baseband bit 
stream is multiplied by the PRBS to produce a new bit stream. Only those receivers 
equipped with the correct PRBS can decode the original message. At the receiver, the 
low level wideband signal will be accompanied by noise, and by using a suitable 
detector/demodulator with the correct PRBS, this signal can be squeezed back into the 
original narrow baseband. Because noise is completely random and uncorrelated, the 
wanted signal can easily be extracted. 

Several watermarking techniques, such as those proposed in [2, 3], are based on 
these ideas. By spreading the information bits and modulating them with a PRBS, the 
watermark signal can be obtained. This signal is then embedded in the video signal 
below the threshold of perception. The recovery of the embedded watermark signal 
can be accomplished by correlating the watermarked video signal with the same 
PRBS that was used in the process of constructing the watermark signal. Correlation 
here is demodulation followed by summation over the width of the chip-rate (the 
number of blocks over which each information bit is spread). If the peak of the cor- 
relation is positive (or, respectively, negative), the recovered information bit is a H-1 
(or-1). 

Using a similar technique to the above (particularly like that proposed in [3]), the 
information signal will be added to the encrypted signal (after the channel coding 
process) to give the signal for transmission. Given a key to reproduce the same PRBS 
at the receiver’s side, the information signal can be recovered. Then the encrypted 
signal can be recovered by subtracting the information signal from the transmitted 
signal. Any errors which occur at this stage (both communication channel errors and 
any resulting from the need to ensure that the signal for transmission uses the same 
block size for its symbols as does the encrypted signal) will be detected and corrected 
by the channel decoder. The operation of the encoding scheme is shown in Figure 1 
below. 

We now describe the basic steps of adding the information signal to the encrypted 
signal. We denote by (m), m. e {-1, 1 } a sequence of information bits we want to add 
to the encrypted signal. This discrete signal is spread by a large factor cr, the chip- 
rate, to obtain the spread sequence (b) 

b. = m.,j.cr <i <{j+V).cr (1) 

The spread sequence (b) is then modulated with a PRBS (p), p. g {-1, 1} and 
added to the encrypted signal s., each s. block containing k bits, yielding the following 
signal for the modulation process: 

^ = s. + p..b. 



( 2 ) 




116 



Thumrongrat Amornraksa, David R.B. Burgess, and Peter Sweeney 



Encrypted 




a) Transmitter 



Encrypted 




Note* Perform the same process as 
at the transmitter to get bxp 



b) Receiver 



Fig. 1. The operation of the encoding scheme 



At the receiver, the recovery of the added information is easily accomplished by 
multiplying the transmitted signal with the same PRBS (p) that was used in the en- 
coder. The summation over the correlation window i.e. cr is as follows: 

(j + l).cr-l (j+\).cr-\ (j+l).cr-l 

0 = ^Pi- = ^Pi- + X P>^- (3) 

i= j.cr i= j.cr i= j.cr 



The first term on the right-hand side of (3) vanishes if p. and s- are uncorrelated and 

^ p = 0. However, we account for a different number of -I’s and I’s in 
i=j.cr ' 

p. over the interval \j.cr, (j+l).cr-l] by including the term 



(i+l).cr-l 

i=j.cr 



( 4 ) 





An Encoding Scheme for Dual Level Access to Broadcasting Networks 



117 



Then r. ideally becomes 

(J+\).cr-\ 

Y^Pi- 

i=j.cr 

and the recovered information bit m ’ 

./ j' 

As an example, let the bit-rate of the encrypted signal be 3Mb/s, the chip-rate cr = 
500 and let the block size k be 4 bits. Then, the rate at which information bits can be 
added after the channel coding process is 1.5kb/s. With this bit-rate, the information 
signal can be an image signal in compression form transmitted every 30s or so, and 
we can transmit the total bit-rate of 3.0015Mb/s within the existing bandwidth alloca- 
tion of 3Mb/s. To increase the bit-rate of the information signal, the chip-rate and the 
block size should be reduced. However, a smaller block size implies a greater likeli- 
hood that subtracting the information signal from the transmitted signal will not give 
the encrypted signal. In addition, a smaller chip-rate implies a greater likelihood of 
error in decoding the information bits. To reduce this latter likelihood of error an 
error correcting code can be applied to the information bits before the spreading proc- 
ess. 



s': - A = cr . iri: 



(5) 



. = sisn (r’). 



3 Experimental Results 

Experiments were carried out using the programming language C. The block size was 
varied from 2-5 bits to represent up to 32 values. In the experiments, the smallest 
chip-rate which gave no errors after the decoding process was 41, 95, 470, 1300 for a 
block size of 2, 3, 4, 5 respectively. For these block sizes, other values of the chip- 
rate considered gave different values of Bit Error Rate (BER) in the decoded data, 
and these values and the underlying trend line are shown in Figure 2. 

From Figure 2, it can be seen that a larger block size needs a higher chip-rate to 
retain the same BER. In addition, since one single bit error in the decoded informa- 
tion signal causes error propagation in the encrypted signal, anything other than a 
large value of the chip-rate will result in a large value of BER. This means that im- 
plementing the scheme with a large block size, will lead to low efficiency. According 
to the experimental results, a block size of 3 is the optimum for the scheme. 

In our experiments, the encoding scheme was performed in an error-free commu- 
nication channel. That is, the errors which occurred in the decoded data came solely 
from the need to remain within the bandwidth of the broadcast channel. Although the 
proposed scheme has not been fully explored, it shows an idea of how to utilise the 
existing broadcast bandwidth in a more efficient way. Further work can be carried out 
by simulating the scheme in channel models e.g. AWGN. Error correcting codes can 
be applied in the scheme to improve its reliability. 




118 



Thumrongrat Amornraksa, David R.B. Burgess, and Peter Sweeney 



10 



100 1000 10000 



DC 

UJ 

m 



1,0E-+O0 

1,0E-01 



1,0E-02 



1,0E-03 



1,0E-04 



1,0E-05 




Chip-rate 



♦ Block Size = 2 ■ Block Size = 3 A Block Size = 4 

X Block Size = 5 Log. (trend line) 



Fig. 2. Chip-rate vs. bit error rate of decoded data at different block sizes 



References 

1. Pickholtz, R., Schilling, D. and Millstein, L.: Theory of Spread Spectrum Communications. 
A Tutorial. IEEE Transaction on Communication, Vol. COMM-30 (1982) 855-884 

2. Cox, 1., Kilian, J., Leighton, T. and Shamoon, T.: Secure Spread Spectrum Watermarking 
for Multimedia. IEEE transactions on Image Processing, Vol. 6, No. 12 (1997) 1673-1687 

3. Hartung, E. and B. Girod, B.: Watermarking of Uncompressed and Compressed Video. 
Signal Processing, Vol. 66, no. 3 (Special issue on Watermarking) (1998) 283-301 




Photograph Signatures for the Protection of 
Identification Documents 



no 



o n 



on^ n 



3 



^ ENIB, Brest, France 

^ Department of Electrical & Electronic Engineering, 
University of Wales Swansea, SA2 8PP, UK 
® Dynjab Technologies, Canberra, Australia 
J . S . D . MasonOswansea .ac.uk 



Abstract. This paper investigates a photo- signature approach to pro- 
tecting personal identification documents such as passports. The ap- 
proach is based on that described in a recent publication by O’Gorman 
and Rabinovich [1] which uses encoded data derived from comparisons of 
image sub-blocks across the photograph of the document. The encoded 
data is generated and stored at the time of document creation, and used 
subsequently to test document authenticity. Here we report on experi- 
ments which corroborate the fundamental findings of [1], namely that it 
is possible to usefully encode the photograph information in only tens of 
bytes of data. 

Furthermore we show that now bloek structures can improve the effi- 
ciency of the encoded data. This is important since the encoding ef- 
ficiency, measured in terms of number of bytes versus discriminating 
performance, is particularly important when storing data on a small 
document such as a passport or ID card. We show that a step structure 
is measurably better than the original octal structure used in [1] when 
there are only a small number of bytes (20 to 30) in the photo- signature. 



1 Introduction 



0 0 


p 






n on 


0 


n 






P po 


n 




p 






n 


n 




P 




n 0 


n p on 


n 




00 








P 




n 


n 


on p 


po n p 


n n 


P po 




n 


n 


n 


on 0 


on 0 


P 


on 


n n 0 


no 


0 n 




P 




n 


0 p 


n 


on 










- 


p 


n 






0 n 


0 


P 


po 






— 


p 


po 






no 


P 


0 




n 






— 


p 


po 






n 


n 






0 n 


n n 




— 


p 


po 




n 


0 n 


0 


n 




no 


n p 


n 






n 




nn 






















0 




on 0 








n 


on on 


n 


P P 


n 






P 


0 0 p 


n 0 


n p 


0 




p n n 




0 




0 






P po 




n 




n 


P po p 





M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 119-128, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




120 



Bruno Bellamy, John S. Mason, and Michael Ellis 



n on poop n non 





















' Jr' “ 


r' 














0 


n 








0 


n 


0 


0 0 


n n 




n 




P 0 


0 p 


0 on 




on 


n 0 




n 


n 






p n 






0 0 


n 




0 


0 


P 


n 


n 




op 






P 0 


on 


0 




n 




n 




n 






n 




nn 


n 


0 0 


0 


p n 


n 0 


n 


no 






0 




n 


on n 




n 




0 




n 


n 






n 


0 


0 


p n 


n 


0 0 






0 








0 


P 0 






n 0 






p 


n 












no n 


P 


n 




on 0 


poo 


P 






on 


0 


P 




n 








n 
















on 








0 




n 0 


on 


0 




p 


0 0 


P 0 








0 




n 




0 


0 




n on 


n 








n 0 




P 0 


0 p 










photo- signature 


0 


0 




on 








n 








0 


n 


0 












on 


n 


n p 




0 p 


P 






n 0 




















P P 


on 






P 


0 0 


n 




n 










0 n 


n 




no 














0 


0 








n 


on 




0 




on 




n 


n 0 


n 






n 


n 




0 p 


n 




on 




0 


n 








0 


n 


n 










n on 


P 0 




n 


n 


n 




0 






n 


0 


0 











2 


Photo-Signatures against Counterfeiting 








p 


0 0 




n 


n 




n 


n p 




on 0 


P 0 


0 


P 


P 0 




n 




n 




n 


on 




n p 0 


0 


P 


0 


n p 0 


p 




p 


opo 


PP 0 


0 




n 






n 


n 


P op 


0 


P 0 


0 


p 




n 


0 




0 


n 










n 


0 






0 






P 




P 0 


0 p 


on 






p n p 


0 


0 


p 


n 


n 0 






P 


n 


on 0 




P 


0 0 


p n 


p 






op 


on n 


0 p 






0 


n 














0 


0 










n 


0 


on 






n 


0 n 




n 




p 




0 






on 


0 






0 








poo 


n 




0 


on 


po 


n 




n 


n 


0 






n 


P 


0 0 


P 




0 




n 


n 










0 


nn : 


Q 0 


0 


P 0 


n 


n 0 






n n 


0 n 


P 


0 0 




n 


0 pon n 


0 


p 


0 0 


P 


n 






0 




on 


on 


0 n 






n 


on 


no 






n 


0 no 


n 0 


n 




0 


n 


on 




n 


0 




0 






0 n n 


PP 


op 




0 








0 


n 


n 


0 






n 


P 






ppn 


P 0 


0 p 



















2.1 Passport Protection 






0 p po n n 


n on 


o 

o 

o 


p po on 


0 


n n on 0 on 




Photograph Signatures for the Protection of Identification Documents 




121 


n n 


on 


0 








0 n 


P 


po 




n 




n 


0 




on 


0 n 


n 




















on 0 


0 n 






P PO 






n 


n 




0 














P 






0 


p n n 


on 


0 


n 




0 


0 






n 0 


n 


P 0 






0 


n 0 


po 


n 


0 


P 


po 


0 


on 


0 


n 


0 




on 






n 


0 n 




n 


n 




0 


0 




p 


po 


0 






0 


n 


0 


on 


0 n 






n 


P 


po 






0 


0 




n 




on 


n 0 








0 


no 


n 




0 


P 












0 




n 


0 


n 








n 


n 


0 






n 


0 






n 






n p 


' 0 




00 








0 




P 


n 0 


0 




0 


0 




0 n 




on 








0 


P 


I 


3 


n 0 


n 


0 


0 


0 




po 




0 




0 n 




0 


n 






0 


non 


0 


n 




















n 




n 


n 


P 0 




0 








P 








p 










n 


on 0 








on p 


0 0 


n 


0 






0 




0 


PP op 


0 


P 


po 


n 




0 




p 


0 


0 P 






on 


P 




0 


n n 


0 


n 


n 


P 


n 


0 






P po 






n 






0 






p opo 




0 


n 


n 


no 






0 






n 


P 




n 


0 




P po 








0 


0 


n 


0 




poo 


n 






po 


n 




0 




on 


n 








n 


n 


n 


0 


n 


n 






0 






0 




0 








on 0 


poo 


p 


P 


n 




P 


po 


P 


0 


0 P 




0 




n 




n 


0 p 


0 0 


n 




0 


0 n 




0 




n 


n 0 








0 


0 pon n 




0 






on 








no 




0 


n 


0 


n 


0 


0 




n 






n 






n 


n 






00 0 




n 






0 






n no 


n 


0 




n 






n 




0 


P PO 


n 0 




0 












0 




n 0 






0 0 


n 








0 


0 n 








opo 


n p 


n 


n 


poo 


n 












F 


) 0 


0 


p n 




on p 






P 0 


P 










0 





















2.2 




The Photo-Signature of [1] 
















0 p 


0 0 


n 




0 


po 


n p 


n p 




0 


P 0 


0 


p 




0 


0 


n 


0 


on 




n 


n 0 




0 




n 0 


0 n 


n 


on n 




p opo 


P 


0 0 n 0 




0 


n 


n 


no 




on 




P 






p n n 0 




0 


P 


po 






0 P 


po p 


0 


on 




n on 0 


P 0 


0 


n 




0 no 




n 


n 


0 


P 




n 


0 




0 


n 


0 poo 


n 




n no 


0 P 


0 


0 n 




0 








on 




0 


n 




on n p 






0 




0 


n 


n 


n 0 


p 


on 




n n 




0 




on 0 


n p 


0 


P 








0 


0 n 


n 




n 


P 


P 0 


po 


n 


n 








0 p n 






n 0 






















122 



Bruno Bellamy, John S. Mason, and Michael Ellis 



p o o 



poo n 



o 



n 



o p 



n 



p n po o o o n 




o 



o 



o 

n on n o 

on o o 



o on 



P 

n n o n on 

n o 












Fig. 2. n on o 

n o o p on 




Feature byte example: 11111010 

Fig. 3. on n 

o n n n op 

o no 






3 Experiments 

00 pnpo o poon 

n on p o n n o 

— o o n on p 

— o p on n n 

— n o no 

3.1 Assessment 



n 


p 


n 




po 


0 




P 0 


1 0 




n 






0 


P 


on 




no 


n 






n 








0 






0 








n 










n 


n 


on 0 






n 


on 








0 p 


0 on 




n 


P 0 


0 


n 








n 








0 






P 0 


0 p 






on 


n n 


on 0 0 


n 






n 










n 


n 


n 


n 




poo 


P 




n 






on 


n 












0 








- 


n n 




0 


n 0 




n 






0 


n 








0 


n 




on 




n 


































— 


n 


n 




nn n 


op 




on 






















0 


n 




n 


n 






P 




n 








0 




0 


0 






P 0 


n 








































on n 




P 














P 




0 


pon 


n 


0 


n 




P 


0 0 


on 




P 


0 


0 




P 




0 




P 






on 






n no 


0 








P 


0 


0 


p 






n 




on 




0 0 












no 








0 






n 








n 




n 




P 0 














0 




n 


poo n 


P 




no 


0 






0 


P 




on 


0 






no 




on 


on 


0 




n 




0 


P 


on 


n 












n 


0 






n 




0 




p n 








po 








n 






0 






n 


n 


n 



onoo nn pnp 




124 



Bruno Bellamy, John S. Mason, and Michael Ellis 





Fig. 4. P o 



on 



n no 














Photograph Signatures for the Protection of Identification Documents 



125 




Size of the signature in bytes 



Fig. 6. on 






Photograph Signatures for the Protection of Identification Documents 



127 




Fig. 9. p o n 




Fig. 10. p o n 





0 




0 




p 




0 








no 0 




P 




0 




on n 


n 


on 


P 


0 


on 


0 




0 




n 
























0 


0 0 






n 


n 


0 


n 




on 




n 




n 


0 






n 




00 






n 


on 




n 


n 




0 


0 n 








0 








0 n 








P 






n 


P 


0 


0 




0 n 




n 


n 


0 




n 




n 
















n on 


0 






0 










on 


0 






P 


0 


n 






no 




0 


n 


0 


0 


P 




on p 






n 




0 




P 


0 0 


p 






0 














0 


n 


0 p 


0 










0 


0 


n 


0 


P 


0 






n 


no 


n 


P 




P 




n 


0 


on 




0 


n 






0 




0 




on 


0 


n 








P 0 


n 




n 


on 





128 



Bruno Bellamy, John S. Mason, and Michael Ellis 



References 

[1] I. Rabinovich L. O’Gorman, “secure identification documents via pattern recog- 
nition and public-key cryptography”. IEEE trans. pattern analysis and machine 
intelligenee, pages 1097-1102, Oct. 1998. 




An Overview of the Isoperimetric Method in 
Coding Theory (Extended Abstract) 
[Invited Paper] 



Jean-Pierre Tillich^ and Gilles Zemor^ 



^ Universite Paris-Sud, 

LRI, batiment 490, 91405 Orsay, France 
^ Ecole Nationale Superieure des Telecommunications, 
46 rue Barrault, 75634 Paris 13, Prance 



Abstract. When decoding a threshold phenomenon is often observed: 
decoding deteriorates very suddenly around some critical value of the 
channel parameter. Threshold behaviour has been studied in many situ- 
ations outside coding theory and a number of tools have been developped. 
One of those turns out to be particularly relevant to coding, namely the 
derivation of isoperimetric inequalities for product measures on Ham- 
ming spaces, we discuss this approach and derive consequences. 



1 Background 

Let C be a binary linear code with parameters [n, k, d]. Denote by R = k/n its 
rate and d = d/n its relative minimum distance. We shall be mainly concerned 
with the asymptotic behaviour of C so that R and S should be thought of 
as fixed quantities as opposed to growing n. Traditionally, two approaches to 
coding theory have coexisted over the years. One approach consists of looking 
for codes with the largest possible minimum distance for a given length and 
dimension, based on the simple statement that if less than d/2 errors occur then 
(disregarding complexity issues) the original codeword can always be recovered. 
The other approach consists of studying the probability of a decoding error 
after a codeword has been corrupted by some channel. To take one of the most 
studied examples, the binary symmetric channel with transition probability p, 
the probability of a decoding error can be written as : 

f{p) = 1 - p,{w) = i-Yl ( 1 ) 

x—W 

where x denotes the Hamming weight of x. The set of vectors IV is a decoding 
region, i.e. the set of error vectors that will be correctly decoded by a maximum- 
likelihood decoding scheme. Practitioners and theorists alike have been asking 
for the behaviour of f{p) : many results exist on the typical behaviour of /(p) 
when C is chosen randomly from an ensemble of codes. In particular, if C is 
chosen randomly from all linear codes of (large) length n and rate R, then we 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 129-134, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




130 



Jean-Pierre Tillich and Gilles Zemor 



know that f{p) jumps suddenly from almost zero to almost one around the 
critical value 0 = — R), this is essentially Shannon’s theorem. The typical 

value of f{p) was then further studied in the sixties by Gallager who showed 
that f{p) g~nE{R,p)+o{n) function E{R,p) that he computed and that is 
positive whenever p < 0. 

One frustrating fact is that the typical critical value 6 of f{p) actually equals 
the typical relative minimum distance 6. This means that even if there are many 
more than 5/2 corrupted bits, only very few error patterns will actually result 
in a decoding error. This well-known phenomenon has again been highlighted 
recently with the progress of iterative decoding techniques, e.g. the advent of 
turbodecoding. In that case the code C is chosen among a much more specific 
and smaller ensemble of codes, and maximum-likelihood decoding is replaced by 
some suboptimal decoding scheme (this can be seen as replacing the decoding 
region W in (1) by a considerably smaller set of vectors). Experiments show 
that f{p) still tends to behave in a threshold manner, for impressive values of 
9, although the codes have poor minimum distance properties. However in these 
cases, for p < 9, the quantity f{p) does not decay exponentially with the block 
length n any more. 

Our approach is to try and bridge the gap between the two approaches to 
coding, the study of the minimum distance and the study of f{p). Suppose we 
are given a code with minimum distance d : what can we say about f{p) ? About 
its threshold behaviour ? How can we upperbound f{p) ? This time we do not 
ask for typical behaviour but want a result valid for any code with minimum 
distance d. 

2 Threshold Effects and the Isoperimetric Method 

In 1974 a very elegant result of Margulis [2] went largely unnoticed by the coding 
community because its implications were not fully apparent. 

For any two vectors x and y of the Hamming space , let us write x y ii 
for any i = 1,2, . . . ,n Xi = 1 implies yi = 1. We shall say that W is increasing 
if for any x W , x y implies that y is also in W. 

Margulis introduced the quantity : 

hw{x) = 0 if X IE 

hw{x) = card y W,d{x,y) = 1 if x W 

where d{x, y) denotes the Hamming distance between x and y. Denote by A{W) 
the smallest nonzero value of hw{x). Let pp denote the product probability 
measure on the Hamming space defined by 

pp{x) = '£p^x^-pr~^- 

x-X 

for any set of vectors X. Margulis ’s theorem is a very general statement about 
increasing sets. 




An Overview of the Isoperimetric Method in Coding Theory 131 



Theorem 1 (Margulis 74) For any e > 0, Tj > 0, there exists m > 0 such that 
for any increasing set W satisfying A{W) m, the set of p’s for which p,p{W) 
takes values between e and 1 — e is an interval of length smaller than ig. 

This emphasizes the threshold nature of the function p p,p{W). The larger 
A{W), the quicker pip{W) jumps suddenly from almost zero to almost one. 

Why is this relevant to coding ? Because it applies almost immediately to 
the decoding error probability f{p) in (1). In this case the decoding region W is 
not increasing, but it is a deereasing set, i.e. x W and y x imply y W : 
Margulis’s theorem will also apply. Furthemore, the quantity A{W) is directly 
dependent on the minimal distance of the code d, we have namely A{W) 
d/2. The consequence is that the decoding error probability f{jp) behaves in a 
threshold manner, i.e. jumps suddenly from almost zero to almost one, and that 
the “jump” narrows as the minimum distance grows. 

Deriving such a result is not straightforward and Margulis’s method is espe- 
cially interesting. It relies on the following identity, later to become known in 
percolation theory as Russo’s identity, which states that for any increasing set 
W : 



dfJ-pjW) ^11 (.-r). (2) 

dp P Jw 

Margulis then goes on to lower bound the quantity hw{x)dpbp{x) by a func- 
tion of pip{W). Integrating the resulting differential inequality then yields the 
threshold behaviour. The method can be named isoperimetric because the inte- 
gral hw{x)dpp{x) can be thought of as a measure of the “boundary” of W 
and is lower bounded by a function of its “volume” pp{W). 

Margulis’s theorem was made much more explicit by Talagrand [3] who 
showed that the estimation of Pp[W) can be made more precise by consider- 
ing a modified measure of the boundary of W, namely f hwdfip. 

Talagrand’s isoperimetric inequalities were refined by Bobkov and Goetze [1], 
and improved again in [4] . After integration, these inequalities yield the following 
result for increasing sets. 

Theorem 2 (Tillich Zemor 99) Let W be an inereasing set of vectors of F 2 , 



and let A = A{W). 


Let 6 


be defined by peiW) 


= 1/2. Then Pp{W) satisfies 




Pp{W) <L ( 




— \n9— \J — Inp)^ 


for 0 < p < 9 


( 3 ) 


Pp{W) ( 




— Ind — \/ — lnp)j 


for 9 < p < 1. 


( 4 ) 



where L>{x) = — = e *^^'^dt. 




132 



Jean-Pierre Tillich and Gilles Zemor 



Applied to coding, this yields the following theorem. 



Theorem 3 (Tillich-Zemor 99) Let C be a binary linear eode with minimum 
distance d and any length. Over the binary symmetric channel with transition 
probability p, the probability of decoding error fijp) 
associated to C satisfies : 



f{p) 

f{p) 



1 - L> 
1 - <L> 



d ln(l -9) - A/-ln(l - p) j 
d (^\/- ln(l -0) - a/- ln(l -p)^ 



where 9 is defined by f{9) = 1/2. 



for 0 < p < 9 
for 9 < p < 1. 



This theorem makes the threshold behaviour of f{p) very precise. Note that 
for fixed o < 0 and growing d the quantity d>{a d) is equivalent to 
so that theorem 3 really gives an upper bound of the form 



fijp) exp(-d5(6i,p)) 

where g{9,p) > 0 for p < 9 : in other words f{p) is exponentially small in d. In 
particular, families of codes with minimal distance growing linearly with their 
length n have a probability of decoding error which decreases exponentially with 
n, as long a,s 9 — p stays bounded below by some e > 0. We now know that this 
holds for all such codes, not just that it is typical behaviour. 



3 Locating the Threshold 

The isoperimetric method gives precise results on the behaviour of the decoding 
error probability f{p) given d but does not say anything about the whereabouts 
of the threshold probability 9. As mentioned earlier, randomly chosen codes with 
large length have 9 ~ S = dfn, but what is the (asymptotic) situation for any 
code with prescribed relative distance d ? More precisely, denoting by 9{C) the 
threshold value for a code C, we would like to determine 

6> = liminf6»(C') 

where the lim inf is defined over any sequence enumerating the set of all codes C 
such that d 6n. What is the best lower bound on 0 as a function of ^ ? This 
is an interesting open question. It should be clear that we must have O 5/2. If 
it were true that 0 = 5, this would imply that the Varshamov-Gilbert bound is 
tight. The best lower bound on 0 known to us makes use of averaging arguments 
together with bounds on the highest possible rate of constant weight codes [4] : 
here are some numerical values. 




An Overview of the Isoperimetric Method in Coding Theory 133 



Table 1. 6> as a function of S 



6 


0.1 


0.2 


0.3 


0.35 


0.4 


0.45 


0.5 


lower bound on (9 


0.053 


0.123 


0.212 


0.267 


0.330 


0.385 


0.5 



4 The Erasure Channel 

Theorem 2 is very general and should find applications in a variety of situations. 
Its applications to coding are especially interesting in the context of the erasure 
channel. Let C be again a binary linear code with parameters [n, k, d]. This time, 
when a codeword of C is transmitted its symbols are erased independently with 
probability p. Let e be the erasure vector, i.e. the characteristic vector of 
the set of erased positions. The probability f{p) that we are now interested in 
is the probability that the initial codeword cannot be recovered from the set of 
received symbols : it is straightforward to check that this happens exactly when 
c e for some nonzero codeword c. We have therefore : 

fip) = Pp{W) 

where W now stands for the set of vectors x for which there exists c C, c = 0 
such that c x. Every vector in W has weight at least d, from which we have 
the well-known fact that C can always correct up to d — 1 erasures. But it might 
very well be true (actually it is true, this is our point) that C can, with high 
probability, correct many more erasures. 

It is clear that W is an increasing set of vectors. Furthermore, it is not difficult 
to show that, because C is linear, A{W) = d. Therefore the isoperimetric method 
applies, and theorem 2 translates directly into a theorem of a nature similar to 
that of theorem 3 (see [4]). 

Actually, Margulis’s initial motivation for deriving his theorem was the study 
of this function f{p) in the particular situation when C is the cocycle code of 
a graph. In this case f{p) represents the probability that a random set of edges 
disconnects the graph. 

As in the case of the binary symmetric channel, we would like to lower bound 
the threshold 0 (defined by f{0) = 1/2) by a function of 5. Defining again 
0 = liminf 0{C) where C runs over all codes such that d 5n, we have trivially 
that 0 5. But interestingly, in this case the isoperimetric approach can be 

pushed further to yield nontrivial lower bounds on 0. 

The idea is to define the sequence of sets 

Wi = W W2 ... Wt ... 

where Wt is the set of vectors x such that 



c C c X 





134 



Jean-Pierre Tillich and Gilles Zemor 



is a subcode of C of dimension t. The threshold probabilities associated to each 
Wt form a sequence 

6i=e 02 ... 0t ... 

The isoperimetric method will show that the differences 9t+i — 9t must tend to 
zero as the minimum distance tends to infinity. We can then argue that a code 
of length Otn, dimension t, and minimum distance d must exist, so that these 
parameters must not contradict existing bounds. This argument gives [5,4] 

0 25 

and can be pushed further to yield improved lower bounds : this is the object of 
forthcoming work. 

References 

1. Bobkov, S., Goetze, F. (1996) Discrete Isoperimetric and Poincare-type 
inequalities. Technical report SFB 343 University of Bielefeld 96-086. 
ftp: / / ftp.mathematik .uni-bielefeld.de / pub / papers / sfb343 / pr96086.ps. gz 

2. Margulis, G. (1974) Probabilistic characteristics of graphs with large connectivity. 
Problemy Peredachi Informatsii. 10 , 101-108 

3. Talagrand, M. (1993) Isoperimetry, logarithmic Sobolev inequalities on the discrete 
cube, and Margulis’ graph connectivity theorem. Geometric and Functional Analy- 
sis. 3, 295-314. 

4. Tillich, J-P., Zemor, G. (1999) Discrete inequalities and the probability of 
a decoding error. Submitted to Combinatorics, Probability & Computing, 
http:/ /www. infres.enst.fr/ zemor/isoperimetric.ps 

5. Zemor, G. (1994) Threshold effects in codes. In Algebraic coding. Springer- Verlag, 
LNCS 781 278-286. 




Rectangular Basis of a Linear Code 



Johannes Maucher^, Vladimir Sidorenko^, and Martin Bossert^ 

^ Department of Information Technology, University of Ulm, 
Albert-Einstein-Allee 43, 89081 Ulm, Germany, 
joma,boss@it . e-technik.uni-ulm .de 
^ Institute for Information Transmission Problems, 

Russian Academy of Science, 

B.Karetnyi per. 19 101447, Moscow GSP-4, Russia, 
sid@iitp.ru 



Abstract. A rectangular code is a code for which there exists an unique 
minimal trellis. Such a code can be considered to be an algebraically 
closed set under the rectangular complement operation. The notions of 
rectangular closure and basis were already defined. In this paper we 
represent a method to construct a rectangular basis of a linear code 
from a given linear basis. 



1 Introduction 

Each code C can be represented in a trellis T{C). This trellis representation is 
applied in decoding algorithms, for example in the Viterbi decoding algorithm. 
For a given code there exists a large variety of corresponding trellises. Obviously, 
for most applications a trellis with a minimal complexity is preferred, however 
there exists different complexity measures. It was shown in [3] that there exists 
a class of codes for which there exists a unique minimal trellis, i.e. a trellis 
which minimizes all ordinary complexity measures. This set of codes is called 
the set of rectangular codes. It can easily be shown that each linear code is 
a rectangular code. Hence, in most of the previous works people investigated 
which nonlinear codes are rectangular. In recent works [8], [7] the algebraic 
structure of rectangular codes is studied. It is shown in these papers that for 
any nonrectangular code there exists a unique rectangular closure. Moreover, an 
algorithm is proposed which computes for each rectangular code a rectangular 
basis. For a given nonrectangular code the trellis of the corresponding rectangular 
closure has a smaller complexity, than the trellis of the nonrectangular code 
itself. Therefore the decoding complexity decreases if a nonrectangular code is 
decoded in the trellis of its rectangular closure. Moreover, as shown in [9], for 
some iterative decoding algorithms which use a set of low weight codewords of 
a linear code, complexity decreases and performance increases if the rectangular 
closure of these low weight codewords is used. The merit of a rectangular basis 
is that it provides a quite compact description of a rectangular code, i.e. in 
applications in which a rectangular set must be stored on a device it is sufficient 
to store only its rectangular basis and generate the whole set from this basis, 
whenever it is needed. 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 135-143, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




136 



Johannes Maucher, Vladimir Sidorenko, and Martin Bossert 



In this paper we investigate the relation between rectangular bases and linear 
bases of linear codes. In particular we show how a rectangular basis of a linear 
code can be derived from its generator matrix in trellis oriented form. 



2 Notations and Definitions 
2.1 Trellis Representation of a Code C 

A trellis T = {V, E, A) is an edge labeled directed graph. In a trellis of length n 

the set of vertices is V = Vq Vn and the set of edges \s E = E\ En. 

Each edge e — Ei connects a vertex v — Vi-\ with a vertex v — Vi. The initial 
vertex of e is then i{e) = v and its final vertex is /(e) = v . The edge e is 
said to be incident from i{e) = v and incident to /(e) = v . A path of length 
I consists of a sequence of edges ...e^], such that f{ei-) = i{ei-^^) for all 

j 1, . . . , ^ — 1— Each edge e — Ei is labeled by an element from the finite set 

Ai. Then each path of length n from a vertex in Vq to a vertex in 14, is labeled 

by an element from the cartesian product A = A\ A„. In a trellis T{C) of 

a code C there exists only one vertex Vr in Vq and only one vertex Vg in 14,. For 
each codeword c — C there exists a path pa{c) from Vr to Vg which is labeled 
by c. Usually trellises T{C) are considered in which there exists for each c only 
one path pa{c) labeled by c. Among all possible trellises T{C) of a given code 
C, the minimal trellis of C is the one which minimizes the number of vertices in 
each Vi simultaneously [5] . There exists an unique minimal trellis for C, iff C is 
rectangular [3]. 



2.2 Rectangular Codes 

In general a rectangular code of length n can be considered to be a subset of the 

cartesian product A = Ai of arbitrary finite sets Ai. However, since we 

consider in this paper linear codes we restrict throughout this paper rectangular 
codes to be subsets of the n— dimensional vector space GF{q)^. Any codeword 

c = (ci, . . . , Cn) — C can be partitioned in an arbitrary depth t 1, • ■ . , n— 

into its t— head p = (ci, . . . , ct) and its t— tail / = (ct+i, . . . , c„). We denote by 
— t(C) the set of all t— heads and by Et{C) the set of all t— tails of code C. 

Definition 1 Let pi,p 2 — —t{C) and /i ,/2 — tFt{C). Then C is called t- 
rectangular, iff 



{pi, fi), {P1J2), {P2, fi) - C implies {p2, f2) ~ C. (1) 

If C is t-rectangular in all depths t 1, . . . , n— then C is rectangular. 



Example 1 The code C = —110, 101, 111 — is 1 — rectangular, but not 2— rectan- 
gular, because the vector v = 100 is not contained in C. 




Rectangular Basis of a Linear Code 



137 



All linear codes are rectangular because they are closed under addition and 
subtraction of codewords: For the codewords ci = (pi,/i), C2 = (pi,/2) and 
C3 = (p2 , /i ) of the linear code C, the vector 

C4 = C2 - Cl +C3 = {P1J2) - (pi,/i) + (p2,/i) = {P2J2) 

is again a codeword of C. Thus the defining relation (1) is fulfilled for all depths 
t 1, . . . ,n- 

For any set of vectors Y — GF{q)^ the rectangular closure S = R{Y) is 
defined to be the smallest rectangular set which contains Y . The rectangular 
closure of a given set Y is unique. R{Y) is closed under the rectangular comple- 
ment operation, which is defined as follows: 

Definition 2 Let pi be the t—head and fi be the t—tail of vector c^. Let 
^i,C 2 ,C 3 — be a set of three vectors with fi = /2 and p 2 = ps- Then the 
t— rectangular complement 



z := rt(ci,C 2 ,C 3 ) 



o/^l,C 2 ,C 3 -fs Z = (pi,/ 3 ). 

Note that the rectangular complement of a set of three vectors is defined, 
iff within this set there exists a pair of vectors which has the same t—head 
and a pair of vectors which has the same t—tail. If for a given set of three 
vectors -ci, C2, C3 — the rectangular complement is defined in depth t and depth 
I, then rt(ci, C2, C3) = n{ci, C2, C3). Therefore the depth index in the rectangular 
complement operation can be omitted. A rectangular closed set S, together with 
the rectangular complement operation r constitutes an algebra A = < S;r >. 
Strictly speaking it is a partial algebra [2] since the operation r is not defined 
on all triples of vectors. 

Example 2 The rectangular complement of the three vectors of C from Exam- 
ple 1 is not defined in depth t = 1. However in depth t = 2 the rectangular 
complement is defined: 



r(110,101,lll) = 100. 

The new set S = C 100— zs rectangular, i.e. S = R{C) is the rectangular 

closure ofC. 

A set of vectors Y is said to be a rectangular independent set if none of the 
vectors — T is contained in the rectangular closure of the other vectors in Y : 

Yi / R{Y — yi— ). 

If S is the rectangular closure of Y, then Y is said to be a generating set of S. 
A generating set of S, which is rectangular independent is a basis of S. In the 
sequel we denote a bases by B and its elements by b. 




138 



Johannes Maucher, Vladimir Sidorenko, and Martin Bossert 



3 Construction of a Rectangular Basis 

Throughout this section C denotes a rectangular code in general, i.e. C is not 
restricted to be linear. We represent an algorithm which constructs a rectangular 
basis B{T) of code C in the minimal trellis T{C). This algorithm was introduced 
in [8] . The proof of Theorem 1 can be found in [4] . 

Coloring Algorithm: 

1. For each vertex v in the minimal trellis T{C) all edges, incident to v, except 
one edge, must be colored. All edges, incident to the goal vertex Vg must be 
colored. Set B{T) = — . 

2. For each colored edge e con.struct a path in T{C) that goes from the root 
vertex Vr to the goal vertex Vg through the edge e and comes to the vertex 
V = i{e) through noncolored edges. Join the codeword corresponding to this 
path to the set B{T). 



Theorem 1 If T = (V, E, A) is a trellis of a rectangular code C , then G{T) is 
a generating set of C and 



-B{T)-= WH- 2. 

If in addition the trellis T is the minimal, then B{T) is a basis ofC. 



Example 3 For the parity check code C(5, 4, 2), the minimal trellis and a possi- 
ble coloring according to item 1 of the coloring algorithm is shown in the picture 
below, where ‘colored’ edges are printed hold. 




From this colored trellis one can determine, according to item 2 of the col- 
oring algorithm, for example the basis B = —11000,10100,01100, 01010,00110, 
00101,00011, 00000-. 

4 Construction of a Rectangular Basis for Linear Codes 

The drawback of the coloring algorithm is that it constructs a rectangular basis in 
the minimal trellis and the construction of such a trellis may be quite complex for 
large codes. In the sequel we will represent a method to construct a rectangular 
basis of a linear code directly from its generator matrix. The merit of this new 
method is, that it is less complex than the coloring algorithm and it provides a 




Rectangular Basis of a Linear Code 



139 



better understanding of the relation between rectangular and linear bases. In [1] 
Forney introduced the trellis oriented generator matrix. From the trellis oriented 
generator matrix of a code C one can directly determine some properties of the 
minimal trellis T{C). In particular there exists an efficient method to construct 
the minimal trellis from the rows of this matrix [3] . On the other side we know a 
method to get a rectangular basis in the minimal trellis by the coloring algorithm. 
We will show how these two methods can be combined to construct a rectangular 
basis from the trellis oriented generator matrix such that the intermediate step 
of constructing a minimal trellis is not necessary. 



4.1 Generator Matrix in Trellis Oriented Form 

For a given codeword c = (ci, C 2 , . . . , c„) — C the left index C[c) is defined to be 
the smallest depth i for which Ci = 0 and the right index — (c) is defined to be 
the highest depth i for which Ci = 0. For example the left index of c = (0100100) 
is £(c) = 2 and its right index is —(c) = 5. Vector c is said to be aetive within 
the interval [£(c), ... , —(c) — 1] and passive in all depths outside this interval. 

Definition 3 Let G be the generator matrix of a linear eode C , and denote the 
i.th row of G by gi. Then G is said to be in trellis oriented form, if all pairs of 
rows gi,gj have distinet left and distinct right indiees: 

£(gi) = £(gj) , -(gi) = -(gj) (2) 



Example 4 A generator matrix of a parity eheek eode C(5,4, 2) is 

/I 1 0 0 0\ 

0 110 0 

^ ~ 0 0 110 ■ 

\0 0 0 1 1 / 

Sinee (2) is fulfilled, G is in trellis oriented form. 

In [1] it is mentioned, that for each linear code there exists a trellis oriented 
generator matrix. 



4.2 Minimal Trellis Construction Based on the Shannon Product 

Given a pair of linear codes G\ , C 2 of the same length and corresponding code 
trellises T{Ci), T{G 2 ) the trellis T{C) of their sum 



G — G\ + C 2 — + C2 — Cl — G\ , C 2 — G 2 — 



can be obtained by computing the Shannon product T{Ci) —T{C 2 ) = T{C) 
which is defined as follows: 




140 



Johannes Maucher, Vladimir Sidorenko, and Martin Bossert 



Definition 4 Let Vt and Vt be the set of vertices in depth t of trellises T{Ci) = 
{V,E,A) andT{C 2 ) = {V,E,A), respectively. The vertices of the Shannon prod- 
uct T{C) = T{Ci)—T{C 2 ) are then marked by pairs (v,v) with v — Vt and v — Vt- 
In T{C) a vertex (v,v) in depth t is connected to a vertex {u.u) in depth t+1, 
iff in T{C\) vertex v — Vt is connected to vertex u — Vt+i and in T{C 2 ) vertex 
V — Vt is connected to vertex u — Vt+i. If a is the label of the edge which con- 
nects V and u in T{C\), and j3 is the label of the edge which connects v and u in 
T{C 2 ), then the label of the edge which connects vertex (v,v) with vertex {u,u) 
in T{C) is a /3 : 



t t+1 

a, ;i 




Let gi be a row of a generator matrix of a linear {n, fc)— code C, defined over 
GF{q). We denote by T{gi) the minimal trellis of a subcode 

Ci = -gi-= -^gi - s - GF(q)- 

spanned by gi. The minimal trellis T(G) can be constructed from its trellis 
oriented generator matrix G by a stepwise calculation of the Shannon product 
of subcode trellises: 

Theorem 2 Let -gi,g 2 , - - ,gk~ be the rows of the generator matrix G of a 

linear code C. Then the Shannon product T{gi) T{gk) is a minimal trellis 

of C, iff G is in trellis oriented form. 

This Theorem is proved in [3] and [6]. 



5 Construction of a Rectangular Basis from the Trellis 
Oriented Generator Matrix 

5.1 Subcodes of Dimension fc = 1 

The minimal trellis T{gi) has the property that in all depths I within the two 
intervals [1,... ,H(gi) — 1] and [— (gi),-- - ,u] all components of vector gi are 
zero- Therefore in these depths I also all components ci of all codewords in Ci 
are zero. From this follows property PI and from PI follow properties P2, P3 
and P4 of the minimal trellis T{gi). 




Rectangular Basis of a Linear Code 



141 



PI All codewords of Ci have the same (£(gi) — 1)— head, but distinet heads 
for I — £(gi). All codewords of Ci have the same — (g^)— tail but distinct 
Z— tails for I < — (gi). 

P2 All paths pa{c),c — Ci go through the same vertex in depth I, if gi is passive 
in depth 1. 

P3 For all pairs Ca,Cb of distinct vectors from Ci the paths pa{ca) and pa{cb) 
go through distinct vertices in depth I, if gi is active in depth 1. 

P4 In depth I = — (gi) all q distinct paths pa{c) of codewords from Ci merge 
into a single vertex, denoted by vr{i). 

Note that vr{i) is the only vertex in T{gi) in which merges more than one 
path - in particular q paths. The eoloring in this trellis can be ehosen for example 
such that all edges incident to vr{i) which are labeled by a nonzero element from 
GF{q) are colored. The set oi q — 1 basis codewords b which belong to these 
colored edges in depth / = — (g^) is then the set of all nonzero codewords in Ci. 
However, this set is not the complete basis, since one must also assign a basis 
codeword b to the colored edge e in depth I = n, which is incident to Vg. Since 
this codeword must correspond to a noncolored path from Vr to v = i{e), it can 
only be the allzero eodeword from Ci. This proves the following Theorem: 

Theorem 3 The rectangular basis of a linear code C of dimension k = 1 is 

B = C. 



5.2 Linear Code of Dimension k 

Let us now investigate how to determine colored edges, i.e. basis veetors which 
are assigned to colored edges, directly from the trellis oriented generator matrix 
of a linear code. By Theorem 2 the minimal trellis T{C) of such a code is the 
Shannon product of the minimal trellises of the subcodes: 

T{C) = T(gi) T(gfe). 

From Definition 4 follows that in trellis T{C) = T(Ci) —T{Cj) there exists a 
vertex in which merges more than one edge in depth t, iff in at least one of the 
trellises T{Ci),T{C 2 ) there exists a vertex in depth t, in which merges more than 

one edge. This means that in T{C) = T(gi) T{gk) there exist vertices 

in which merge more than one edge only in depths — (gi),— (g 2 ), ■ • • (gfe)- 
W.l.o.g. we assume that the rows of the trellis oriented generator matrix are 

ordered such that C{gi) < £(gi+i) and — (gi) < — (gi+i) for alH 1, . . . ,k — 

1— . In the sequel we will determine the codewords, which correspond to edges, 
which merge together in one of the depths — (gi). 

We define Gi to be the matrix, which consists of all rows of G, except row 
gi. The code generated by Gi is then the complement of subcode Ci in C: 

f^i 5 • • • ? gi — 1 7 gi+1 ) ■ ■ • 5 gfc ~ 




142 



Johannes Maucher, Vladimir Sidorenko, and Martin Bossert 



For a fixed codeword c —Ci we define a coset Ci{c) of Ci as follows: 

Ci(c) = -c + c - c-Ci-=sgi + c - s-GF{q)~. (3) 

Using these definitions we can generalize properties PI to P4 as follows: 



Q1 All codewords of Ci{c) have the same (£(gi) — 1)— head but distinct heads 

for I — P(gi). All codewords of C'i(c) have the same — (gi)— tail but distinct 
tails, for I < — (gi). 

Q2 All paths pa{c),c — Ci{c) go through the same vertex in depth I, if gi is 
passive in depth 1. 

Q3 For all pairs Ca,Cb of distinct vectors from Ci{c) the paths pa{ca) and pa{cb) 
go through distinct vertices in depth I, if gi is active in depth 1. 

Q4 In depth I = — (gi) all q distinct paths pa{c) of codewords from Ci{c) merge 
into a single vertex, denoted by vr(i,c). 



We will now determine the set of distinct vertices vr{i,c) in depth k = —(gi), 
in particular the corresponding codewords c — Ci whose paths pa(c) go through 
vertex vr(i,c). 

In each depth li = — (gi) the generator matrix G can be partitioned in 

submatrices and G*"* as follows: G^^’^ is defined to be the matrix, which 
consists of the rows of the generator matrix G, which are passive in depth li 
and is defined to be the matrix, which consists of the = k — rows 
of the generator matrix G, which are active in depth li. The codes generated by 
and G*'^’^ are denoted by and C^^'\ respectively. In the special case 
= 0 we define to contain only the all-zero codeword. 



For a fixed codeword u — we define a coset G*-^’ )(u) of G('*) as follows: 



G('-)(u) = ^+u - 



(4) 



Note that in (4) all vectors a — are generated by all rows of G, which are 
passive in depth li. Therefore we have property SI. The vector u in (4) is a 
vector generated by active rows of G in depth L, which yields S2. Combining 
SI and S2 yields S3. 

51 In depth U = — (gi) all paths pa(c), c — (u) go through the same vertex. 

52 For all pairs Ua,U{, of distinct vectors from G^^'\ the paths pa(c),c — 
C(h) 

(ua) go through distinct vertices than the paths pa(c),c — C^^'\ub). 

-r(li) (li) 

53 In depth ? there exist distinct vertices. Each path pa(u), u — G goes 
through a distinct vertex in depth li. 



From property 5'3 we know that in each depth U = — (gi), i 1, • ■ ■ , k— 

there exist distinct vertices ur(i,u), and from Q4 we know that in each 

of these vertices merge q distinct edges. These q distinct edges belong to the q 
distinct paths pa(c),c — Ci(u). W.l.o.g. the coloring of the edges which merge 




Rectangular Basis of a Linear Code 



143 



into vertex vr{i, u) can be chosen such that all g — 1 edges which belong to paths 
pa{c),c — Ci{u) — u— are colored. This means that all vectors c — C'i(u) — u— 
must belong to the basis. If we apply the defined coloring to all distinct 

vertices vr{i,u) in depth li = — (gi) the set of basis vectors Bi, i.e. the basis 
vectors which belong to colored edges in depth i is: 

B, = -C,(u)^ 

= -sgi + u — s—GF{q) — 0— andu— — 

where is the code generated by all rows of G, which are active in depth 
li = — (gi)- Taking into account that in depth I = n all edges, incident to 
the goal vertex Vg must be colored and the basisvector, which corresponds to 
this additional colored edge can be chosen to be the all zero codeword 0 , the 
rectangular basis B of code C is 

B = -0— U B,. 

i 

Thus the basis B can be determined directly from the rows of the trellis oriented 
generator matrix, without constructing the minimal trellis T{C). 

Examples From the generator matrix of the parity eheek eode (7(5,4, 2), 
represented in Example f we obtain the sets B\ = —11000, 10100— 
B 2 = -01100,01010— S 3 = -00110,00101— S 4 = -00011— The union of these 
sets together with the allzero codeword yields the same basis B, as calculated by 
the coloring algorithm in Example 3. 

References 

1 . G. Forney. Coset codes - part ii: Binary lattices and related codes. IEEE Trans. 
Inform. Theory, 34:1152-1187, 1988. 

2. G. Graetzer. Universal Algebra. D. van Nostrand Company, Inc., Lon- 
don/Toronto/Melbourne, 1968. 

3. F. Kschischang and V. Sorokine. On the trellis structure of block codes. IEEE 
Trans. Inform. Theory, 41:1924-1937, 1995. 

4. J. Maucher. On the theory of rectangular codes. Ph.D Thesis, Department of Infor- 
mation Teehnology, University of Ulm, 1999. 

5. D. Muder. Minimal trellises for block codes. IEEE Trans. Inform. Theory, 34:1049- 
1053, 1988. 

6. V. Sidorenko, G. Makarian, and B. Honary. Minimal trellis design for linear codes 
based on the shannon product. IEEE Trans. Inform. Theory, 42:2048-2053, 1996. 

7. V. Sidorenko, J. Maucher, and M.Bossert. Rectangular codes and rectangular alge- 
bra. Proc. of 13.th AAECC Symposium, LNCS, Nov. 1999. 

8. V. Sidorenko, J. Maucher, and M.Bossert. On the theory of rectangular codes. Proc. 
of 6.th International Workshop on Algebraic and Combinatorial Coding Theory, 
Sept. 1998. 

9. V. Sidorenko, J. Maucher, M.Bossert, and R. Lucas. Rectangular codes in iterative 
decoding. Proe. of ITG Paehtagung, Jan. 2000. 




Graph Decoding of Array Error- Correcting Codes 



Patrick G. Farrell', Seyed H. Razavi^ 

‘ Lancaster University, UK 
P ■ G ■ FarrellSlancaster .ac.uk 



^ Curtin University of Technology, Perth, Australia 



Abstract. The motivation for this paper is to report on concepts and results 
arising from the continuation of a recent study [1] of graph decoding 
techniques for block error-control (detection and correction) codes. The 
representation of codes hy means of graphs, and the corresponding graph-hased 
decoding algorithms, are described briefly. Results on the performance of graph 
decoding methods for block codes of the array and generalised array type will 
be presented, confirming the illustrative examples given in [1]. The main novel 
result is that the (7,4) Generalised Array Code, equivalent to the (7,4) 
Hamming Code, which has a graph which contains cycles, can be successfully 
decoded by means of an iterated min-sum algorithm. 



1. Introduction 

Graph decoding, using soft-decision methods, is potentially capable of providing 
simpler decoder implementations than other techniques. This applies particularly to 
list decoders, serial and parallel coding schemes, and iterative (eg, turbo) decoding 
algorithms. In these cases it is necessary to pass soft-decision information between 
the various stages of decoding, and graph-based decoding algorithms (eg, max- or 
min-sum and sum-product) are ideally suited for this purpose. In addition, they 
provide optimum symbol-by-symbol decoding as well as maximum and near- 
maximum likelihood codeword decoding. 

Representation of a code by means of a graph was originally proposed by Tanner 
in 1981 [2]. Tanner used an iterative decoding algorithm previously discovered by 
Gallager in 1962 [3], and applied by him to the decoding of low-density parity-check 
codes. However, the power of this combination of a graphical representation and an 
iterative decoding algorithm was not fully realised until the work of Wiberg, Loeliger 
and Kotter in 1995 and 1996 [4,5]. This has led to a flurry of research into graph 
decoding, which is partly summarised in [1] and a paper by Forney [6]. It is 
interesting to note that very recent results on graph-based decoding have led to the 
creation of analog decoders, which outperform digital decoders by two orders of 
magnitude in speed and/or power consumption [8]. 

It turns out that array code and generalised array code (GAC) constructions [7] for 
block codes ( and almost all optimum and well-known block codes can be constructed 

M. Walker (Ed.): IMA - Crypto & Coding'99, LNCS 1746, pp. 144-152, 1999. 

© Springer- Verlag Berlin Heidelberg 1999 



Graph Decoding of Array Error-Correcting Codes 



145 



in this way) facilitate and simplify the graph deeoding of block codes. There are two 
main reasons for this. Firstly, the coset decomposition structure of a GAC leads to a 
corresponding decomposition of the Tanner graph into several disjoint sub-graphs, 
which in many cases do not contain cycles. This is important because almost all 
interesting eodes have Tanner graphs with cycles, which then makes it difficult to 
apply a graph-based decoding algorithm. This coset decomposition was demonstrated 
in [1], with illustrative examples. Results using a simplified version of the max-sum 
algorithm are given below. Secondly, array codes and GACs can relatively easily be 
characterised by sectionalised Tanner and state [1,6] graphs, in which each node 
represents more that one eodeword symbol. This leads to a simplified graph, with 
fewer or no cycles, thus in turn simplifying the decoding algorithm. Some results 
were given in [1], and will also be the subject of a future paper. 

Even with coset decomposition and/or sectionalisation, some code graphs or sub- 
graphs will turn out to contain cycles. It is therefore of interest to explore ways of 
applying the max-sum and other “belief propagation” algorithms [4,5] to graphs with 
cycles. The results of such a study are reported below for the particular case of the 
binary Hamming code with block length n = 7, k = 4 information bits and minimum 
distance d = 3, formulated as a GAC structure, using an iterative and simplified max- 
sum algorithm. This algorithm is not the one introduced in [1], which on further 
investigation turned out to be faulty. The present algorithm, however, can correct 
single hard errors in any position in the (7,4) codewords; simulation results for its 
performanee under additive white Gaussian noise conditions (soft errors) also will be 
reported in a future paper. 



2. The Tanner Graph and Max-Sum Algorithm 

The Tanner graph [2] of a binary, block, error-correcting code is a bipartite graph 
speeifying the parity check relationships of the code. Each position (bit) of a 
codeword in the code is represented by one of a first set of nodes in the graph. All the 
position nodes in a parity relationship are joined by edges to one of a second set of 
nodes called parity nodes. There are n position nodes and n-k parity nodes in the 
Tanner graph of an (n,k,d) code. 

The Tanner graphs of the (7,3,3) Array code and the (7,4,3) GAC are shown in 
Figures 1 and 2. The (7,3,3) code is constructed using the (2,1,2) row code and the 
(4,3,2) column code, with the check-on-checks bit then removed [7]. The parity 
relations are therefore between positions 1 and 2, 3 and 4, 5 and 6, and 1,3, Sand 7; as 
Figure 1 confirms. The graph does not contain cycles (ie, is a tree). This construction 
is also used as the basic Array code for the (7,4,3) code, but in addition a binary 
codeword (000 or 111) from the (3.1.3) repetition code is added to the bits in 
positions 2, 4 and 6. This then creates the (7,4,3) GAC code [7]. The generator matrix 
of this code is: 




146 



Patrick G. Farrell and Seyed H. Razavi 



r 



G = 



1100001 

0011001 

0000111 

0101010 



which leads to the parity check matrix: 



H = 



f -S 

1111000 
0011110 
1010101 



as illustrated in Figure 2. It can be seen that this graph contains cycles. 

Details of the max-sum decoding algorithm are given in [1,4, 5, 6]. Briefly, the 
Tanner graph of a code is realised as a set of position nodes linked by edges to adders 
which implement the parity nodes. Assuming that the graph does not contain cycles, 
the algorithm starts simultaneously from all the outer nodes, moves towards the root 
of the tree and then propagates back towards the outer nodes. The initial log- 
likelihood weights w(0) = log{prob(y/x = 0)} and w(l) = log{prob(y/x = l)}of each 
received signal element y (representing the transmitted bit x plus noise and other 
possible impairments) are allocated to the corresponding nodes. As the algorithm 
propagates through the graph, the weights are processed as follows: 

• at a node, the outgoing weights are the sums of the corresponding incoming and 
initial weights, the final weights at an inner node are the sums of the incoming and 
outgoing weights on any edge attached to the node, and the final weight of an 
outer node is the sum of the incoming and initial weights; 

• an adder, the outgoing weights are the maxima of the sums of all the 
corresponding incoming weights, over the set of all possible incoming bit 
configurations. 

In the binary case, only the difference in the weights matters during the algorithm 
computations, so only a single metric (which now may be negative as well as 
positive) given by w(0) - w(l), is used in the processing, as follows: 

• at a node, the metric (difference) is the algebraic sum of the corresponding node 
metrics, combined as before; 

• at an adder, the outgoing metric has magnitude given by the minimum value of the 
incoming metrics, and sign given by the sign of the product of all the incoming 
metrics; it is zero if any one of the incoming metrics is zero. 

Thus, with this simplification, the max-sum algorithm becomes a min-sum 
algorithm [1,6]. The final result of using either decoding algorithm is the same, of 
course, except for the normalisation inherent in the simplified min-sum algorithm, 
and the same implications follow. 




Graph Decoding of Array Error-Correcting Codes 



147 



1 

2 

3 

4 

5 

6 
7 




Fig. 1. Tanner graph of the (7,3,3) Array code 



1 

2 

3 

4 

5 

6 
7 




Fig. 2. Tanner graph of the (7,4,3) GAC 




148 



Patrick G. Farrell and Seyed H. Razavi 



3. Decoding the (7,3,3) Array Code 

The realisation of the graph of the code, given in Figure 1, is shown in Figure 3. If the 
initial metric at nodes 1,2, 4-7 is 4, corresponding to high confidence zeros, and is -2 
at node 3, corresponding to a lowish confidence one, then applying the min-sum 
algorithm leads to final metrics of 10 for nodes 1,2, 5, 6 and 6 for the remaining nodes. 
The single error in node 3 is corrected, as expected, and the result also shows that 
positions 4 and 7 in the codeword are more affected hy the error in position 3 than the 
other positions, as indicated by the lower confidence metric values. 



4. Decoding the (7,4,3) GAC 

As Figure 2 shows, the Tanner graph for the (7,4,3) code is not a tree, because it 
contains cycles or loops. Regardless of the way in which the code is constructed, its 
corresponding Tanner graph will always contain cycles. In order to use the min-sum 
decoding algorithm with this code, it is therefore necessary to find ways in which to 
avoid or overcome the problem of the presence of the cycles. 



4.1 Using the Coset Graph 

A first way of dealing with the problem is to take advantage of the GAC form of the 
code, as described above. This structure means that the codewords in the code can be 
classified into two cosets: the first coset comprises the codewords of the (7,3,3) Array 
code, and the second coset consists of the same codewords but with the 2 “‘, 4 "' and 6* 
positions in the codewords inverted (complemented). The first coset is obtained when 
the 000 codeword in the (3,1,3) repetition code is added to positions 2, 4, and 6 in the 
basic (7,3,3) codeword (see Section 2 above); adding the 111 codeword then creates 
the second coset. Thus the (7,4,3) code can be represented by a pair of graphs, one for 
each coset. The graph corresponding to the first coset is identical to the graph for the 
(7,3,3) code, and the second graph is the same except that the bits in positions 2, 4, 
and 6 are inverted (which is equivalent to multiplying their metric values by -1) for 
the decoding process. The (7,4,3) GAC graph may therefore be drawn as in Figure 4; 
the min-sum algorithm is applied first with positions 2, 4, and 6 non-inverted, and 
then secondly with them inverted. In practice these two passes can be done serially or 
in parallel, as convenient. The results of each pass are then appropriately combined to 
obtain the final metrics for each bit. 

For example, let a set of initial metrics be 4, -4, 4, 4, 4, -4, and 4 in bit positions 1, 

2, ,7 respectively. This corresponds to receiving the codeword 0101010 with a 

hard error in position 4. After combining the results of the first and second decoding 
passes, the final node metrics are 4, -4, 4, -4, 4, -4, 4. The error in position 4 is 
corrected, and all bits have the same final confidence value. 




150 



Patrick G. Farrell and Seyed H. Razavi 




Fig. 5. Split graph for the (7,4,3) GAC 



4.2 Using a Split Graph 

The second way of dealing with the problem is to modify the graph so as to remove 
the cycles, and then to repeatedly apply the min-sum algorithm until the final metrics 
converge satisfactorily. The modification consists of splitting an appropriate set of 
nodes so as to remove the cycles and create a tree graph. In general there are several 
ways of doing this. Figure 5 illustrates one way of modifying the graph of the (7,4,3) 
code shown in Figure 2, by splitting node 3 into three nodes, and node 4 into two 
nodes. In effect, this has replicated bit positions 3 and 4 in the codewords of the code, 
which would give an unfair weight to the initial metrics of nodes 3 and 4. Therefore 
the initial metric on each of the three nodes corresponding to position 3 should be 
only one third of the original value, and one half of the initial value on each of the 
two nodes corresponding to position 4. With these modifications, the min-sum 
algorithm can be applied repeatedly, in a number of iterations. 

For example, let a set of initial metrics be 4, -4, -4, -4, 4, -4, 4 in bit positions 1, 2, 
...,7 respectively. This corresponds to receiving the codeword 0101010 with a hard 
error in position 3. After splitting nodes 3 and 4, and reducing their initial metrics 




Graph Decoding of Array Error-Correcting Codes 



151 



accordingly, the set of initial values becomes 4, -4, -1.33, -1.33, -1.33, -2, -2, 4, -4, 
4. The final metrics after two iterations of the min-sum algorithm are as follows: 

• 1.33, -2.67, 2.67, -1.33, 1.33, -2.67, 2.67 

• 2.89,-3.34, 6,-3.11,2.89,-3.34,3.56 

Note that the error in position 3 has been corrected, and that the metrics of the 
other positions are converging back to their original high confidence values after 
initial falls. Errors in other positions are similarly correctable, but may require up to 
four iterations. 



5. Conclusions 

Two methods which permit the use of the min-sum (or max-sum) graph decoding 
algorithm for block codes with Tanner graphs containing cycles have been described. 

The coset graph method becomes computationally complex if the code has a large 
number of cosets, as many codes of practical interest do. It is therefore relevant to 
consider methods for limiting the number of cosets which have to be searched [9], 
though then the final metric values may not be very accurate. The method also 
depends on the basic coset having a cycle-free graph, and again this will not 
necessarily be so in many cases of interest. One way to increase the number of cycle- 
free coset graphs is to create suitable “sectionalised” Tanner graphs, with nodes 
representing more than one codeword position, and “adders” now operating on bit 
sequences rather than individual bits. State graphs [4,5,6] also seem very promising. 

The split graph method warrants much further investigation. It is not clear, for 
example, when iteration should stop and how accurate the final metric values are after 
the last iteration. Computer simulations to determine the performance of the method 
for a range of codes and error conditions are also required. Is there an optimum way 
to split the cycle graph? Can state, coset and split graph techniques be combined in 
some way, to derive more effective soft decoding algorithms? These and other 
interesting questions will be addressed in subsequent papers. 

References 



[1] P.G. Farrell: Graph Decoding of Error-Control Codes; S* Int. Symposium on DSP for 
Communication Systems, Scarborough, Perth, Australia, 1-4 Febmary, 1999. 

[2] R.M. Tanner: A Recursive Approach to Low-Complexity Codes; IEEE Trans Info Theory, 
Vol IT-27, No 5, pp533-547. Sept 1981. 

[3] R.G. Gallager: Low-Density Parity-Check Codes; IRE Trans Info Theory, Vol IT-8, No 1, 
pp 21-28, Jan 1962. 

[4] N. Wiberg, H.-A. Loeliger & R. Kotter: Codes and Iterative Decoding on General Graphs; 
Euro Trans Telecom, Vol 6, pp5 13-526, SEPT 1995. 

[5] N. Wiberg: Codes and Decoding on General Graphs; PhD Dissertation, Linkoping 
University, Sweden, April 1996. 




152 



Patrick G. Farrell and Seyed H. Razavi 



[6] G.D. Forney: On Iterative Decoding and the Two-Way Algorithm; Int Symp on Turbo 
Codes, Brest, France, Sept 3-5, 1997. 

[7] P.G. Farrell: On Generalised Array Codes; in Communications Coding and Signal 
Processing, Eds B. Honary, M. Darnell and P.G. Farrell, Research Studies Press, 1997. 

[8] H.-A. Loeliger, F. Tarkoy, F. Lustenberger & M. Helfenstein: Decoding in Analog VLSI; 
IEEE Comms Mag, April 1999, pp 99-101. 

[9] 1. Martin & B. Honary: Two-Stage Trellis Decoding of the Nordstrom-Robinson Code 
Based on the Twisted Squaring Construction, submitted to lEE Proceedings - 
Communications. 




Catastrophicity Test for Time- Varying 
Convolutional Encoders 



Conor O’Donoghue^ and Cyril Burkley^ 

^ Silicon & Software Systems, South County Business Park, 
Leopardstown, Co. Dublin, Ireland 
conoro@s3group . com 

^ Dept, of Electronic Engineering, University of Limerick, 
Limerick, Ireland 
Cyril . burkleyOul . ie 



Abstract. A new catastrophicity test for convolutional encoders whose 
rate and generator polynomials vary with time is presented. Based on 
this test computationally efficient algorithm to determine whether or 
not a time- varying convolutional encoder is catastrophic is derived. This 
algorithm is shown to be simpler than the catastrophicity test proposed 
by Balakirsky [1]. Eurthermore, the algorithm can easily be generalised 
to rate k/n time- varying convolutional encoders. 



1 Introduction 

Let Fg[ZI] denote the ring of polynomials in the indeterminate D with ele- 
ments a{D) = rri 0, and F,j, where F^ is some finite field 

with q elements and g is a prime power. An n-vector of polynomials, a{D) ~ 
{ai{D),a 2 {D), ,an{D)), is an element of Fq[D]"'. The degree of a{D) is de- 

fined as the maximum degree of its components 

dega(D) = max degOi(£>) (1) 

A rate k/n fixed convolutional code C may be generated by any Fg[Z?]-matrix 



G{D) = 



9ii{D) 


gin{D) 


9i{D) 


9ki{D) 


9kn 


9k{D) 



( 2 ) 



whose rows span C. The ith constraint length and the overall constraint length of 
G{D) are defined as Vi = deggj(D) and v = Vi, respectively. The memory 
of G{D) is defined as Vm = max^ Vi . Thus, we can write 

G{D)= Z^GiD^ Gi F,'^ - (3) 

A convolutional encoder is said to be catastrophic if there exists some input 
sequence, u{D), with infinite Hamming weight which generates a code sequence. 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 153-162, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




154 Conor O’Donoghue and Cyril Burkley 



y{D) = u{D)G{D), with finite Hamming weight. Such encoders are undesirable 
as a finite number of channel errors may give rise to an infinite number of errors 
in the decoded sequence. A necessary and sufficient condition for catastrophic 
convolutional encoders was first obtained by Massey and Sain [2] and generalised 
by Olsen [3]. Let Ai{D) be the ith full size minor of G{D) and define 

d{D)=gcd (4) 

where L = (^(. Then G[D) is noncatastrophic if, and only if, 5{D) = D‘^ for 
some d 0 . 

A generator matrix, G{D), for C is canonical if its realisation in controller 
canonical form is minimal i.e. there are no encoders for C requiring fewer memory 
elements. If G{D) has constraint lengths Vi \ the high order coefficient matrix, 
Gh Fg ”5 is the matrix whose ith row consists of the coefficients of H’'* in 
the ith row of G{D). The following theorem, due to Forney [4,5], states when a 
generator matrix is canonical 

Theorem 1 Let G{D) Fq[D]^ " be a generator matrix for some C with over- 
all constraint length v. Then the following statements are equivalent: 

(a) G{D) is a canonical generator matrix. 

(b) (i) The ged of the k k minors of G{D) is 1 and 
(ii) their greatest degree is v. 

(c) (i) G{D) is noncatastrophic and 

(ii) Go and Gh have full rank. □ 

The constraint lengths of any canonical generator matrix are invariants of the 
code C and are called the Kronecker indices of C, and denoted by The 

sum n = (^ is simply referred to as the Kronecker index and is a measure of 
the complexity of C. 

2 Time- Varying Convolutional Codes 

Consider N convolutional codes of rates 1 /ni , . . . , 1/ un and constraint length 
at most yu defined by the generator polynomials 

G\D)=[g^o{D)g\{D) 1-t-N (5) 

We define a selection function ip such that p{t) 1,2,..., A^— and 

p{t + iT) = Lp{t) -4,i (6) 

As ip{t) is periodic it is completely specified by the T-tuple ip = (y(0), . . . , p{T — 
1)). Consider an information sequence uq,ui, . . . . Then the time- varying convo- 
lutional encoder output at time t is given by 

yt = { Lo^t-^Gf ^ 



(7) 




Catastrophicity Test for Time- Varying Convolutional Encoders 



155 



The encoder may be realised with a single shift register of length n and time- 
varying connection vectors. In order to maximise utilisation of the available 
memory it is commonly assumed [6] that 

= 0 and = 0 0-i<T (8) 

All the best time-varying codes reported in [7] and [8] satisfy this condition. 
Further justification for this assumption is provided at the end of this section. 
The rate of the time- varying code is given by = 1 /n^ where 

^ ^y(O) + ^y(i) H h ny(T-i) 

Note that may not be an integer. Nevertheless, writing R^p in this form 
emphasises the fact that the time-varying code is described by a trellis corre- 
sponding to a rate 1/n fixed code but with branch labels varying on successive 
trellis sections. 

It is well known [7] that any periodic time-varying convolutional code with 
memory fi and period T is equivalent to a fixed rate T/n^T code with generator 
matrix 

G{D) = ( G, - (10) 

where Vm = -^u/T— and 

^ ^jT ^jT+l • • • 

_ ; ^jT-l ^jT • • • ’^0 + l ) T -2 

^ ¥^(0) ^V^(I) 

where, by convention, G) = 0 for j < 0 and for j > fi. Letting k = VmT — the 
constraint lengths of G{D) can be shown to be 





The overall constraint length is, therefore, v = ji. This equivalence of time- 
varying and fixed codes means that one can think of a time-varying code with 
period T and constraint length jd as a special case of a rate T/n^T code which 
can be decoded with a simpler T-stage decoder with two additions and a binary 
comparison instead of a single stage decoder with 2^ additions and a 2^-ary 
comparison for each state. 

It is worth noting that using = (p(t-|-r), t — Z, instead of ip{t) results in 
essentially the same time-varying code. However, the corresponding fixed code 
will, in general, be different. Therefore, for every periodic time-varying code 
there are T equivalent fixed convolutional codes. Now, consider the case where 




156 Conor O’Donoghue and Cyril Burkley 



Gg = 0 for some 1 — r — N. Choose r such that (. ■ ■ ,r). The generator 

matrix for the equivalent fixed convolutional code has a low order coefficient 
matrix 



Go = 



qV'( 0 ) qv'W 

; 0 

> 

0 0 



... G 
... G 



v'iT 1 ) 



T-1 V 



T-2 



Crg 



(13) 



But Gg = Gg = 0 and hence the last row of Go is zero. As a result the 

encoder has non-zero delay and therefore v < fi. A similar argument may be used 
to show that, if there is some r for which G(( = 0, then the generator matrix of 
at least one of the equivalent fixed codes will have constraint length v < (jl. Since 
— u it follows that v < /i. Therefore all time-varying encoders not satisfying 
(8) are equivalent to fixed codes with Kronecker index v < ^ and therefore will 
have poorer distance properties. Consequently (8) is assumed throughout the 
remainder of this paper. 



3 Catastrophicity Test 

A time-varying encoder can be tested for catastrophicity by computing the gcd 
of the full size minors of G{D), the generator matrix of the equivalent fixed code. 



Example 1 Consider the time-varying eode defined by (p = (0,1) and the gen- 
erator matrices 



G°{D) ^[1 + D^l + D + D^{ G\D) =[l + Dl + D^{ 

The equivalent rate 2 /4 fixed convolutional code has generator matrix 



G{D) 



■ 1 1 + Dl D{ 
D 1 1 



S{D) = 1 and hence the encoder is noncatastrophic. 



Example 2 A time-varying code is defined by p> = (0,1,2) and the generator 
matrices 



G^{D)= [l + Dl + D + D‘^{ G^{D)= + D + 

G^{D) =[D1 + D^{ 

The generator matrix for the equivalent rate 3 /6 fixed convolutional code is 

(1 1 0 1 0 1 ( 

G{D) = . 0 T) 1 1 1 0. 

^ D DO DOl^ 



In this case 5{D) = I D and therefore the encoder is catastrophic. 




Catastrophicity Test for Time- Varying Convolutional Encoders 157 



These examples demonstrate that catastrophicity is not inherited from the en- 
coders G*(H), 1 — i — In Example 1 both G^{D) and G^(D) are catastrophic 
but the time-varying encoder is noncatastrophic. The reverse is the case in Ex- 
ample 2. Note also that if <p = (0, 2, 1) is used in Example 2 the resulting 
time-varying code is noncatastrophic. 

In general, the gcd method is not suitable for use in computer searches for 
good codes as it is not computationally efficient and the complexity grows ex- 
ponentially with T. For example, a time-varying code with period T — 4 and 
riip = 3 requires computing 495 4 — 4 minors and then finding their greatest com- 
mon divisor. As an alternative, Balakirsky [1] derived a necessary and sufficient 
condition for catastrophicity based on the properties of autoregressive filters. 
However, it is not clear that the computational complexity of Balakirsky’s test 
is significantly lower than that of the gcd method. In this section we present a 
new catastrophicity test for time- varying convolutional codes. A fast algorithm 
implementing the test is derived in Section 4. 



Lemma 1 A periodic time- varying encoder with generator matrices G*(D), I — 
i — N, and selection function ip{t) is noncatastrophic if, and only if, G{D), the 
generator matrix for an equivalent fixed code, is canonical. □ 



Proof. Let C be the rate T/n^T code generated by G[D). The low- and high- 
order coefficient matrices of G{D) are given by 



Go 



V Ltq . . • ^'J'_ \ 

^ 0 0 



Gh = 



0 

It-. 0 



( G 



v(o) 



G 



V’(O) 

/i-T+l 



. G 



0 

V(T-I) 



(14) 



where k = T-fj,/T — /r. Since Gg = 0 and = 0 for all 1 — i < T it follows 
that both Go and Gh have full rank. Therefore, by statement (c) of Theorem 1, 
the time-varying encoder is canonical if, and only if, it is noncatastrophic. □ 



Thus we may test a time- varying encoder for catastrophicity using the following 
canonicity test for rate k/n fixed convolutional encoders [9, Theorem 6]. 

Theorem 2 Let G{D) — be any generator matrix with overall constraint 
length V and memory Vm- Then G{D) is canonical if, and only if. 



vankTiJ^v] = (fc -|- l)u 
where is the (£ + Vm)k — In matrix 

(Go 0 ( 



HM = 



Gv^ Go 

•. : t> 

G„ 



I 



(15) 



(16) 



0 



□ 




158 Conor O’Donoghue and Cyril Burkley 



With a view to reducing the number of computations required to determine the 
rank of 7d_[u] we will analyse the rank properties of this matrix in more detail. 
To do this we will use the following lemma due to Forney [4], 

Lemma 2 Let C be any rate k/n fixed convolutional code with Kronecker in- 
dices and let denote set of polynomial codewords in C with degree 

strictly less than 

Cl ■■= -^{D) -C-degy(L>) < dely(£>) - 0- (17) 

Then Ci is a subspace of C over Fg with dimension 



dimp Cl = — V + ( {vi — 1) 



(18) 

□ 



The rank of the matrix H-[i] is given by the following theorem. 

Theorem 3 Let C be a rate k/n fixed convolutional code and let G{D) be any 



generator matrix for C with constraint lengths . Then 

rank7f_[^] = k^ + v — ( {u// — €) (19) 

V.V^>1 

where Kronecker indices of □ 

Proof. Let H(D) be any canonical polynomial generator matrix for C~ . Since C 
and C~ are dual subspaces of Fg[L>]” it follows that 

H{D)G-{D) = 0 (20) 



where the dash denotes matrix transposition. Equivalently we can write HG = 0 
where H and G are the semi-infinite block matrices 



1 


...1 


( 


(GoGrG2-G3-...( 




f 0 H 0 H 1 H 2 ... 


/ 


, 0 GqGj:G2-.../ 


H=\ 


) 0 0 Ho Hi... \ 




) 0 0 GoGr...; 


1 

1 


f : : : : 1 




f . . . . : 

^ • 



Now let G[l] denote the matrix consisting of the first £ block rows and i-\- Vm 
block columns of G 

(GoGr...G-„ 0 0 ( 

G[C\ = i ■•. ( ( 22 ) 

^0 0 Go Gr . . . G-^ ^ 

The kernel of G[£] is spanned by those rows of H that are zero in all but the 
first n^ columns. Since H{D) is a canonical polynomial generator matrix these 




Catastrophicity Test for Time- Varying Convolutional Encoders 



159 



rows are also a basis for , the set of polynomial codewords in C with degree 
less than 1. Therefore kerG[€] = Cj and hence from Lemma 2 

dim ker G[£\ = (n — k)£ — v — £) (23) 

We may also write dimker(5[£] = n£ — rankG)^]. Substituting into (23) and 
re-arranging terms yields 

rankG[£] = k£-\- u — ( — £) (24) 

>l 

But inspection of (22) reveals that G[£] is the transpose of H-[£]. Therefore 

rankG[£] = rankH_[^] (25) 

Substituting the expression for rankG[£] given by (24) yields the desired result. 

□ 



Combining Lemma 1 and Theorems 2 and 3 we obtain our main result. 

Theorem 4 A periodic time- varying encoder with generator matrices G*(Z1), 
\ — i ^ N , constraint length //., and selection function ^^{t) is noncatastrophic 
if, and only if, 



rank?f_[^] =T£ + ^ (26) 

where G{D) is the generator matrix of an equivalent rate T/n^T fixed code C 
and is the largest Kronecker index of □ 

We note that _i)t ^ ~ ^ hence application of Theorem 4 may 

involve significantly fewer computations than computing the rank of 7iJ(u\. In 
the next section we will use Theorem 4 as the basis of a fast algorithm to test a 
time-varying encoder for catastrophicity. 



4 Fast Algorithm 

A computationally efficient algorithm to implement the catastrophicity test of 
Theorem 4 can be obtained by exploiting the banded and block Toeplitz structure 
of the matrix H-[£]. We begin by permuting the columns of the matrices Gi q"* 
such that Go = [Goo Goi] where Goo is a nonsingular upper triangular 

matrix. This is easy to do since there is at least one non-zero element in each of 
the block matrices on the diagonal of Gq. Multiplying the block rows of T~L-[£\ 
by Gqq and re-ordering columns yields the matrix 




160 Conor O’Donoghue and Cyril Burkley 





I 


0 


So 


0 


= 


Ri 


/ 


Si 


^0 












0 




0 


^Vrr. 


■ ^ 00 ^ 


F^- 

q 


and Vm = 


fi/T 


can be put in 


the form 






I 


0 


So 


0 


0 


/ 


Se-i 


... 


0 . 


.. 0 


Se 


... 


0 . 


.. 0 




...St; 





(27) 



(28) 



where Si — 0 — i < £ + Vm- can be shown that the matrices -Si- 

are given by the recursion formula 



i-i 

Si = Si+ Ri-jSj (29) 

i=o 

Note that Ri = 0, —i>Vm and hence the computation of Si requires at most 
Vm matrix products. Having computed the -Si — we form the matrix 



W[£] =[WiW2... We 



(30) 



where 



S,; 



Wi 



S, 






(31) 



From (28) it is easily seen that rank VF[£] = rank7f_[^] — T£. Substituting the 
expression for rank7d_[-^] given by (19) yields 



rankW[£] = v- {vl - 1) (32) 



and hence by Theorem 4 the encoder is non-catastrophic if, and only if, 



ranklF[£] = i — 



(33) 




Catastrophicity Test for Time- Varying Convolutional Encoders 



161 



However, we have no a priori knowledge of ly^. This difficulty may be circum- 
vented by noting that 



rank W[t + 1] — rank W[(] — 0 (34) 

where the equality holds if, and only if, £ — . Hence we compute rank W[C\ for 

£ = 1,2, . . . until either (i) va,n]^W[^] = ^ or (ii) ra,nkW[£] — rankVF*^^“^^ = 0. 
In both cases G{D) is non-catastrophic if, and only if, rank W[£] = ji. 

Finally, we may compute rank W[l], I = 1,2,..., as follows. Using elemen- 
tary column operations put W[£\ in column echelon form, denoted here by IUc[£]. 
The rank of Wc[£] is determined by inspection, wll + 1] is easily found from the 
augmented matrix — bFt+i] where VF^+i is given by (31). The complete 

algorithm is summarised as follows: 

Step 1 From the generator matrices G^{D), 1 — i — N, and the 
function construct the coefficient matrices -Gi~^^ . 

Step 2 Compute Gqq^ and the matrices and 

Step 3 FOR l=l TO ji 

Compute Wi using the recursion formula (29). 

Using elementary column operations obtain Wc[£] 
from Wc — 1] and Wi . 

IF (ranklUc)!'] — rankIUc[f’ — 1] = 0) OR (rankIUc[£] = p) 

THEN GOTO END 
NEXT I 

Step 4 END. The encoder is noncatastrophic if rank Wc = p 



4.1 Computational Complexity 

For simplicity we assume binary codes. Computing the matrices — requires 
0{h'44pT^n^) binary operations. Computation of the rank of WGii) requires 
0{v4^p^Tn^) binary operations. Typically p will be greater than T and conse- 
quently this latter step dominates the overall computational complexity of the 
algorithm. 



5 Conclusions 

We have presented a new algorithm for identifying rate 1/n^ catastrophic time- 
varying convolutional encoders. The algorithm requires no polynomial opera- 
tions has a simple software implementation. The computational complexity is 
0{v4^Tn^pp‘^) and is less complex than the algorithm proposed by Balakirsky. 
Furthermore, the algorithm presented here is easily generalised to rate k/n^ 
time- varying codes. 




162 Conor O’Donoghue and Cyril Burkley 



References 

1. V.B. Balakirsky. “A necessary and sufficient condition for time- variant convolu- 
tional encoders to be noncatastrophic,” Lecture Notes in Computer Seience, No. 
781, pp. 1-10, Springer- Verlag, 1993. 

2. J.L. Massey and M.K. Sain, “Inverses of linear sequential circuits,” IEEE Trans. 
Computers, Vol. C-17, No. 4, pp. 330-337, April 1968. 

3. R.R. Olsen, “Note on feedforward inverses for linear sequential circuits,” IEEE 
Trans. Computers, Vol. C-19, No. 12, pp. 1216-1221, Dec. 1970. 

4. G.D. Forney, Jr., “Minimal bases of rational vector spaces, with applications to 
multivariable linear systems,” SIAM J. Control, vol. 13, pp. 493-520, May 1975. 

5. R. Johannesson and Z.-X. Wan, “A linear algebra approach to convolutional en- 
coders,” IEEE Trans. Inform. Theory, vol. lT-39, No. 4, pp. 1219-1233, July 1993. 

6. P.J. Lee, “There are many good time- varying convolutional codes,” IEEE Trans. 
Inform. Theory, Vol. lT-35, No. 2, pp. 460-463, March 1989. 

7. M. Mooser, “Some periodic convolutional codes better than any fixed code,” IEEE 
Trans. Inform. Theory, Vol. lT-29, No. 5, pp. 750-751, Sept. 1983. 

8. R. Palazzo, “A time-varying convolutional encoder better than the best time- 
invariant encoder,” IEEE Trans. Inform. Theory, Vol lT-39, No. 3, pp. 1109-1110, 
May 1993. 

9. C. O’Donoghue, and C.J. Burkley, “Minimality and canonicity tests for rational 
generator matrices for convolutional codes,” in Proc. 1998 IEEE Information The- 
ory Workshop, pp. 112-114, Killarney, 22-26 June, 1998. 




Low Complexity Soft-Decision Sequential Decoding 
Using Hybrid Permutation for Reed-Solomon Codes 



Min-seok Oh* and Peter Sweeney^ 

* CCSR, University of Surrey, Guildford, Surrey, GU2 5XH, UK 
m . oh@ee . surrey .ac.uk 

^ CCSR, University of Surrey, Guildford, Surrey, GU2 5XH, UK 
p . sweeneySee . surrey .ac.uk 



Abstract. We present a soft-decision decoding method for Reed-Solomon 
codes (RS codes) using both cyclic and squaring permutations. These permuta- 
tions are used to provide a convenient sequence which is predicted to have 
relatively low complex error pattern with respect to a modified Fano sequential 
algorithm)!]. In order to preserve bit-level soft-decision values, each sequence 
of those permutation groups must keep equal weight distribution in symbol and 
bit level. Trellis construction is based on Wolf’s method[2] and a binary sys- 
tematic parity check matrix of RS codes is used for bit-level decoding[9]. In 
simulation results, it is shown that a hybrid of those two permutations can be 
used for low complexity decoding approaching maximum likelihood perform- 
ance. 



1 Introduction 

Since Reed-Solomon codes[3] were introduced in 1960, many decoding methods 
have been developed. However, soft-decision decoding method could not be easily 
implemented because of complexity problem. Chase[5] and Forney[4] introduced 
interesting methods for soft-decision decoding of block codes. Their algorithms have 
tradeoffs between complexity and decoding performance for the application to RS 
codes. Later, some other approaches using trellis structure were developed and dem- 
onstrated some good results [6] [7]. Despite such achievements, they did not fully use 
bit-level soft-decision information and could not solve complexity problem for long 
RS codes with a large field. 

For the bit-level soft-decision decoding for RS codes, Vardy[8] presented a 
method using a union of costes being an interleaver of several binary BCH codes for 
representation of RS codes. Recently Oh and Sweeney presented another relatively 
simple method[9] which employs bit-level soft-decision information with low com- 
plexity. In this method a modified Fano algorithm was used with cyclic permutation 
of RS codes. In this work, although cyclic permutation contributes to considerable 
complexity reduction showing near-maximum likelihood performance(ML), it was 
not effective in decoding of a received sequence with widely distributed errors since a 
sequence given by a cyclic shift has a similar error pattern to the original one. In 
M. Walker (Ed.): IMA - Crypto & Coding'99, LNCS 1746, pp. 163-172, 1999. 

© Springer-Verlag Berlin Heidelberg 1999 




164 



Min-seok Oh and Peter Sweeney 



order to deal with this kind of error pattern, squaring permutation[13][16] can be 
useful, since it can provide a different set of sequences compared with the cyclic 
permutation. However, squaring permutation is generally inferior to the cyclic per- 
mutation because of smaller size of permutation group. 

In this paper, we present hybrid permutation which is a combination of cyclic and 
squaring permutations. For (n, k) RS codes over GF(2™) , since cyclic and squaring 
permutation generate n and m different sequences respectively, the hybrid permuta- 
tion provides m ■ n different sequences from an original sequence. With this permu- 
tation, a sequential decoder can reduce complexity by performing a convenient se- 
quence-first decoding. 

Complexity characteristics of sequential decoding was well studied in [10][11]12]. 
In general the complexity depends on the error bits and error location in information 
block, it is reasonable to regard the sequence with the most reliable information block 
as the most convenient for sequential decoding. In this paper, we use a criterion 
which is represented by the sum of symbol confidences within information block of 
each sequence of permutation group. The symbol confidence is taken as the worst bit 
confidence within each symbol, since the decoding complexity will be affected by the 
worst one. 

In section 2, we describe three permutation groups for RS codes: cyclic, squaring 
and hybrid permutation. Then, in section 3, we present hybrid permutation sequential 
decoding (HPSD) to achieve near-ML performance at reasonable complexity cost. 
Section 4 shows simulation results for HPSD in terms of error correcting performance 
and complexity. 



2 Symbol Permutation of RS Codes 

Permutation groups of RS codes provide many equivalent sequences which are useful 
for a low complexity decoding. When a received sequence contains some error, a 
permutation of the sequence may give a desirable effect that each permuted sequence 
can have different complexity due to changing the location of error bits. In this sec- 
tion we discuss three permutation techniques for RS codes: cyclic, squaring and hy- 
brid. 



2.1 Cyclic Permutation 



We consider (n, k) Reed-Solomon codes over GF{2"‘) and denote a code word de- 
note c(x) as 



( 1 ) 




Low Complexity Soft-Decision Sequential Decoding Using Hybrid Permutation 



165 



The elements of n cyclic permutation group T^{c{x)) are 

^ ( 2 ) 
^c, mod(^"-l) for/3 £ (0,1,2, •••,M-1) . 

yi=0 ) 

By cyclic permutation of a code word, n different sequences are obtained and each 
sequence is also a code word in which the bits and confidences are also shifted with. 
Therefore a certain error pattern of a received sequence is changed by the cyclic per- 
mutation. A decoder can firstly choose the sequence with the most convenient error 
pattern among n possible sequences. A decoding method using this kind of permuta- 
tion has been shown in[9]. 



2.2 Squaring Permutation 

Squaring permutation is a technique using the property that although the squaring of a 
code word polynomial changes the position of symbols constituting the code word, 
the squared result is also a code word. For (n, k) Reed-Solomon codes over GF(2"') , 
we can get m-different sequences which have the different error pattern. 

A decoding approach using squaring permutation decoding was previously de- 
scribed[13] based on algebraic decoding method. However, we need further consid- 
eration for the application to a bit-level sequential decoding since bit-level soft deci- 
sion information should be preserved through squaring operation. 

In this paper, each symbol for RS code is represented on normal basis[l4] which is 
defined as a set of linearly independent roots with the form for 

A, = ■ On this basis, since the result of squaring of each symbol is represented by 

just a cyclic shift, the bit level soft-decision can be completely preserved through the 
squaring process. Perlis[15] has shown that a necessary and sufficient condition for 
a normal basis such as 

m-\ 

tr{p) = '^P^‘ =\. (3) 

i=l 

Table 1. shows a normal basis satisfying the above condition. 



Tabel 1. Basis Representation for RS codes 



Field 


GF{2^) 


GF{2") 


GF(2^) 


Polynomial basis 


a^oc‘a° 


aVa‘a“ 


4 3 2 10 

a a a a a 


Normal basis 









The elements of the m squaring permutation group for s = 1,2, • • • , m — 1 . are 

f n-l n—l 



i=0 ) 



(2'^ /) mod« 



/=0 



V 



j 



(4) 




166 



Min-seok Oh and Peter Sweeney 



m-\ 

Let C; denote c, = for Uj e GF(2) on the normal basis, the coefficient cf is 

j=o 

m-1 

expressed by cf = . Consequently since squaring permutation 

1=0 

using normal basis can preserve bit-level soft-decision values through the squaring 
operation, we can apply this technique to our bit-level sequential decoding. Moreover 
squaring of a symbol can be simply obtained by a bit cyclic shift within the symbol. 



2.3 Hybrid Permutation 

Hybrid permutation is the combination of the cyclic and squaring permutation. As we 
have examined in the previous section, since for (n, k) RS codes over GF(2"‘) the m 
squaring sequences can have n cyclic permuted sequences: a total of nxm permuted 
sequences can be obtained by combining the permutations. This means that an error 
pattern from a received sequence is also changed to other patterns with nxm differ- 
ent complexity. For RS codes with a large field, the number of possible sequences 
increases. Table 1 shows the number of possible sequences by the hybrid- 
permutation. 



Table 1. Possible Sequences by Hybrid Permutation 



Field 


8 


16 


32 


64 


Possible Sequences 


21 


60 


155 


378 



Fig.l shows error pattern changes by hybrid-permutation for (15,9) RS codes. In 
the figure, it is shown that four sequences are obtained from squaring permutation 
and then 15 cyclic sequences are produced each corresponding to each one of the 
squaring permutation group. Thus total 60 sequences can be obtained from a received 
sequence and each sequence has the same symbol and binary weights as the original 
sequence because of the use of normal basis. The different thing in each sequence is 
the order of listed symbols. Since the complexity of the sequential decoder depends 
on the locations of errors, it is expected that the complexity of decoding the original 
sequence can also be changed with the permutation. 

Hybrid permutation is very attractive to design an efficient permutation sequential 
decoder, since the decoder can choose the most convenient sequence from a greater 
variety of sequences than either of the cyclic or squaring permutation individually. 
This permutation gives a solution for individual drawbacks of cyclic and squaring 
techniques which are used for permutation decoding. Widespread errors can be rear- 
ranged by the squaring permutation so that cyclic permutation can effectively manage 
the rearranged sequence. Therefore we can improve the complexity and decoding 
performance simultaneously. In particular, in the application of RS codes over a large 
Galois field, hybrid permutation will be very powerful in reducing complexity and 
improving decoding performance. 









Low Complexity Soft-Decision Sequential Decoding Using Hybrid Permutation 



167 



.(.) I ° 3 I 4 . I B I . I ,3 I 

r(x) = 

r(xr 
r^xy- 

r(xy 
r,(xy 

Fig. 1. Error Pattern Changes by Hybrid Permutation 



3 I 4 . I a I . un M 1^ 



h ° H ^ ^ 14 I . I 0 ^ 



I H ° h- - I ^3 V/A'A'mi 



WA^VA'A-V/n'^\'^Y/A-V/A^ \ -Y//A'-V^ 



'^/y\ Incorrect Symbol □ Correct Symbol 



3 Hybrid Permutation Sequential Decoder 

We present hybrid permutation sequential decoder (HPSD) which uses a modified 
Fano algorithm with hybrid permutation. The modified Fano algorithm[9] has two 
additional functions, which are path update function and decision rule, to the original 
Fano algorithm[8]. The path update function updates a searched path whenever its 
path metric is greater than current one. By the path updating, the decoder can release 
the best path. On the other hand, the decision rule is to qualify searched paths in the 
case that the decoder has searched for a wrong path as if it were the correct path. 
With those two additional functions, the modified Fano algorithm approaches maxi- 
mum likelihood performance only if the decoder has tried the correct path at least 
once. 

For the efficient operation of the sequential decoding, the decoding parameters are 
optimized as the most proper value for computational limit L and threshold spacing 
step, AT . For the convenient sequence-first search, the decoder considers the con- 
venience level as confidences with respect to the information part of a code word for 
the possible permuted sequences by hybrid -permutation. Those sequences are sorted 
by the sum of confidences of the information part and their priorities are assigned for 
decoding. The decoding procedure is explained as following: 

(i) Obtain mxn candidates by cyclic and squaring permutation. 

(ii) Assign the decoding priority of the candidates in order of lBC(information 
block confidence) of each candidate. Set trial number to 1 . 




168 



Min-seok Oh and Peter Sweeney 



(iii) Choose the sequence with the highest priority, which has the largest IBC. 

(iv) Decode the chosen sequence by using the modified Fano algorithm (MFA). 

(v) Check decoding result. 

• If the decoder has found a valid path satisfying the decision rule, release 
the path and restore its sequence order. 

• Otherwise store the best path which has been recorded so far by the path 
update function. Then go to the next step. 

(vi) Increase trial number. 

• If trial number is less than a given maximum- trial-number, choose the 
sequence with next priority and then go to step (iv). 

• Otherwise release the best path which has been recorded so far and then 
restore the permuted sequence with respect to the path. 

Fig. 2. shows the flow chart of the hybrid permutation sequential decoder. 




Fig.2. Hybrid Permutation Sequential Decoder 



4 Simulation Results 

Simulation was carried out on BPSK system with 8-level soft decision values over 
Gaussian channel. Decoding performance was obtained for (7,3), (15,9) and (31,27) 
RS codes in terms of complexity and decoding error rate as a function of Eb/No. The 
complexity was measured by average computations per information bit and error 
correcting performance was calculated by bit error rate(BER) with respect to Eb/No. 
Eor comparison with non permutation sequential decoding (NPSD), an equal value of 









Low Complexity Soft-Decision Sequential Decoding Using Hybrid Permutation 



169 



overall computational limit L was used for a same class of RS codes. The maximum 
number of trial, Y, in HPSD has the relation as 

L=L^Y (5) 

where is a computational limit per each trial. 

Fig. 3 and Fig.4 are the comparison between Viterbi and hybrid permutation se- 
quential decoding (HPSD) for (7,3) RS codes. In the figure, we can see that the de- 
coding performance of HPSD was almost equal to that of Viterbi decoding. On the 
other hand, in Fig.4, the complexity of HPSD was much lower and it rapidly de- 
creased as Eb/No increased. Thus it is well verified that the HSPD is very efficient 
decoding method achieving ML performance for (7,3) RS codes. 

Fig. 5 is the decoding performance comparison between non permutation decoding 
and hybrid permutation decoding. The hybrid permutation decoding produced con- 
siderable coding gain for (15,9) and (31,27) RS codes. Moreover more gain has been 
achieved for (31, 27) RS codes. 

Fig. 6 is the complexity comparison between HPSD and NPSD. In the figure, we 
can see that HPSD provides considerably low complexity for (7,3), (15,9) and (31,27) 
RS codes. In particular, when we consider the result obtained in Fig. 5, the most cost- 
effective performance has been achieved for (31,27) RS codes. That is, HPSD pro- 
vided around 1.0 dB gain with 1/3 complexity compared with NPSD. This results 
from the fact that more permutation group are available for (31, 27) RS codes than 
other two RS codes. Therefore HPSD will be more effective for long RS codes with 
large Galois field. 




Fig.3. Performance Comparison with Viterbi decoder 



170 



Min-seok Oh and Peter Sweeney 




bNo 



Fig.4. Complexity Comparison with Viterbi decodinG 



Decoding Error Probability Comparison between HPSD and NPSD 
using 8-level uantisation 




bNo 



Fig.5. Decoding Performance by Permutations 



Low Complexity Soft-Decision Sequential Decoding Using Hybrid Permutation 



171 




3.0 4.0 5.0 

bNo 



Fig.6. Complexity Comparison by Permutations 



5 Conclusion 

The use of the hybrid permutation gives a great improvement in decoding complexity 
and decoding performance. Since the complexity of the sequential decoding depends 
on the efficiency to search for the correct path at a given computational limit, the 
hybrid permutation decoding is very proper to drive the searching region of the de- 
coder to the most likely one. Thus if the correct path has been tried at least once, this 
HPSD will always produce the maximum likelihood performance at low complexity. 
Furthermore this hybrid permutation can be useful to design a low complexity de- 
coding for any block codes where the cyclic and squaring permutation are available. 



References 

1. Fano, R.: A Heuristic Discussion of Probabilistic Decoding. IEEE Trans. Inform. Theory. 
IT-9. (1963) 64-74 

2. Wolf, J. K.: Efficient maximum likelihood decoding of linear block codes using a trellis. 
IEEE Trans. Inform. Theory. IT-20 (1978) 76-80 

3. Reed, I.S. and Solomon, G.: Polynomial codes over certain finite fields,” SIAM Journal on 
Applied Mathematics. 8 (1960) 300-304 

4. Forney, G.D.: Generalized minimum distance decoding. IEEE Trans. Inform. Theory, IT- 
12 (1966) I25-13I 

5. Chase, D.: A class of algorithm for decoding clock codes with channel measurement in- 
formation. IEEE Trans. Inform. Theory. IT-18 (1972) 170-182, 



172 



Min-seok Oh and Peter Sweeney 



6. Shin, S.: Trellis decoding of Reed-Solomon codes. Ph.D. Thesis, (1994) 

7. Matis, K.R. and Modestino, J.W.: Reduced-search soft-decision trellis decoding of linear 
block codes. IEEE Trans. Inform. Theory. 39 (1991) 440-444 

8. Vardy, A. and Be’ery, Y.: Bit level soft-decision decoding of Reed-Solomon codes. IEEE 
Trans. Inform. Theory. IT-28 (1982) 349-355 

9. Oh, M. and Sweeney, P.: Bit-level soft decision sequential decoding for RS codes. 
WCC’99. (1999) 111-120 

10. Jacob, I. and Berlekamp, E..: A lower bound to the distribution of communication for 
Sequential Decoding. EEE Trans. Inform. Theory. IT-13 (1967) 167 - 174 

11. Savage, J.: The distribution of the sequential decoding computational time. IEEE Trans. 
Inform. Theory. IT-12 (1966) 143- 147 

12. Anderson, J.: Sequential decoding based on an error criterion. IEEE Trans. Inform. Theory. 
40(1994) 546-554 

13. Martin, I., Honary, B., and Farrell, P.G.: Modified minimum weight decoding for RS 
codes. ELECTRONICS LETTERS. 31 (1995) 713-714. 

14. Pei, D., Wang, C., and Omura, J.: Normal basis of finite field GF(2'") . IEEE Trans. 
Inform. Theory. IT-32 (1986) 285-287 

15. Perils, S.: Normal basis of cyclic fields of prime-power degree. Duke Math. J. 9 (1942) 
507-517 

16. Oh, M, and Sweeney, P.: Squaring permutation sequential decoding on normal basis for RS 
codes. ELECTRONICS LETTERS. 35 (1999) 1325-1326 




On Efficient Decoding of Alternant Codes over a 
Commutative Ring* 



Graham H. Norton and Ana Salagean 

Algebraic Coding Research Group, Centre for Communications Research 
University of Bristol, U.K. 

Graham. NortonOBristol .ac.uk. Ana. SalageanOntu. ac .uk 



1 Introduction 

Let be a commutative ring e.g. the domain of -adic integers or a Galois 
ring. We define alternant codes over , which includes BCH and Reed-Solomon 
codes. We also define a corresponding key equation and concentrate on decoding 
alternant codes when is a domain or a local ring. Our approach is based on 
minimal realization (MR) of a finite sequence [4,5], which is related to rational 
approximation and shortest linear recurrences. The resulting algorithms have 
quadratic complexity. 

When is a domain, the error-locator polynomial is the unique monic mini- 
mal polynomial of the finite syndrome sequence (Theorem 2), and can be easily 
obtained using Algorithm MR of [4] (which is division- free) . The error loca- 
tions and magnitudes can then be computed as over a field. In this way we can 
efficiently decode any alternant code over a domain. 

Recall that a Hensel ring is a local ring which admits Hensel lifting. (It is 
well-known that a finite local ring, such as a Galois ring, is a Hensel ring.) We 
characterize the set of monic minimal polynomials of a finite syndrome sequence 
over a Hensel ring (Theorem 3) . It turns out that the monic minimal polynomials 
coincide modulo the maximal ideal of (Theorem 4) when is a local ring. 
This yields an efficient new decoding algorithm (Algorithm 1) for alternant codes 
over a local ring , once a monic minimal polynomial of the syndrome sequence 
is known. For determining the error locations, it is enough to find the roots of 
the image of any such monic minimal polynomial in the residue field . After 
determining the error locations, the error magnitudes can be easily computed. 

When is a finite chain ring (e.g. a Galois ring) we invoke Algorithm MP 
of [5] to find a monic minimal polynomial. 

We note that a modification of the Berlekamp-Massey algorithm for Zm was 
given in [8], where it was claimed [loc. cit., Introduction] (without proof) to 
decode BCH codes defined over the integers modulo . An algorithm to decode 
BCH and Reed-Solomon codes over a Galois ring has also been given in [3]. 
However this algorithm may require some searching see [loc. cit., Conclusions, 

* Research supported in part by the U.K. Engineering and Physical Sciences Research 
Council under Grant L07680. The second author is now with Department of Math- 
ematics, Nottingham Trent University, UK. 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 173-178, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




174 



Graham II. Norton and Ana Salagean 



p. 1019] and their decoding algorithm requires root-finding in itself, which is 
also less efficient. 

For more details and proofs, we refer the reader to [7]. 



2 Alternant Codes over a Commutative Ring 



Let be a commutative ring with 1=0 and let ( ) denote the subset of 
consisting of all elements which are not zero-divisors. 

The following definition of alternant codes over generalises the definition 
over fields. 

Definition 1 (Alternant codes) Let he a subring of and — 2. Suppose 



that = ( 1 
( ) for I - 



i) and = ( 1 

- -If 



are such that 



( ) and 



1 1 
2 

1 1 



d-2 

L 1 1 



2 2 
2 

2 2 



d-2 
2 2 



n n 
2 

n n 



d-2 
n n 



( 1 ) 



then the alternant code of length and alphabet defined by is the -module 

A{ ) = ” : = 0- 

As usual, is called the parity check matrix of A{ ). 

As in the case of fields, we have: 

Theorem 1 The minimum Hamming distance of A{ ) is at least . 



3 A Key Equation 

For decoding alternant codes over a ring we follow the main steps for their 
algebraic decoding over a finite field, except that we rely on minimal realization of 
a finite sequence which was introduced in [4] . For some advantages of the minimal 
realization approach, see [5, Introduction]. See also the expository account in [6], 
especially loc. cit. Section 8, which discusses the application to a finite sequence 
of syndromes over a finite field. 

Suppose that a codeword — A{ ) is received as = + . We have to 

find the error vector given the syndrome vector 

We will henceforth assume that =2 -|- 1 — 3 and that the number of errors 
is = h{ ) — ■ Let 12 u; be the positions of the errors. As usual, 
q are called the error locations and the error magnitudes. 

We write for 1 — 2 ; note that 1. 




On Efficient Decoding of Alternant Codes over a Commutative Ring 



175 



Definition 2 (Syndrome sequence) The syndrome sequenee of the error Pis 
the finite sequence roIP-illllllm over P , denoted P-P and defined by: 

n w 

P = Y,PUlPf^ = Y,P^P^Pr;P 

fc=i i=i 



for P= OP-llllllP. 



Definition 3 (Error polynomials) We define the error-locator and error- 
evaluator polynomials by 

W W 



Note that in the classical literature P^ and are called the 

error-locator and the error-evaluator polynomial respectively, where P* denotes 
the reciprocal of T — E[r]. 

Definition 4 (Key equation) Let P = ~ 

{PTP) — P[P ] — P P[P ] is a solution of the key equation if P is monic, deg(I) — 
deg{P) P and 

P - PPPmodP^-'^P (2) 

A solution (PLP) is called minimal if deg{P) is minimal. 

As in the classical case we easily obtain: 

Proposition 1 If P — Pthen {PePP Pe) is a solution of the key equation. 

The minimality of the solution {PePP Pe) is not obvious, but will follow from 
Theorem 2 when T is a domain and from Theorem 4 when P is local. 

We now recall some definitions from [5] . For P — P[P] and P — P At' 
denotes their product in P[P ~^PP ] and {P -P)j is the coefficient of P^ in T Ad. 
We write lc(T) for the leading coefficient of P — P[P ] — 0— 

Definition 5 ([5]) Let P— P — 0— . The P-annihilator set of PA' is 

AnniPA'LT) = -Ad : \c{P) = PP{PAd)j = 0 /or T + deg{P) - P- 0-T 

A polynomial P is said to be an annihilating polynomial of the sequence P-P if 
P — Ann{PAd LI) for some P. 

A non-zero polynomial in Ami{ P-P IT) of minimal degree is called a minimal 
polynomial of the sequence P-P , and we write Min{PA' TT) for those minimal poly- 
nomials of PdP with leading coefficient P. (For the equivalence between minimal 
polynomials and shortest linear recurrences of a finite sequence, see [6, Corollary 
2.3], which is valid for any P .) 




176 



Graham II. Norton and Ana Salagean 



Recall from [4] that for T- r[R], r(/Xr-f ) - T r[r] is defined by 

deg(/) 

ririT-r) = E 

i=i 

The connection between the key equation and minimal polynomials of PT 
becomes clear from the following lemma: 

Lemma 1 The pair {riT — r[r] — r ] is a minimal solution of the key 
equation (2) if and only if deg(I^ F FF — Mm{F-F /I) and F = F{FFF-F). 



4 Decoding over a Domain 

Theorem 2 If F is a domain then for all F— F — 0— Min{F-F IT) = -TF,,— 

We can now develop a decoding algorithm for alternant codes over a domain. 
Algorithm MR of [4] computes a minimal polynomial F and the correspond- 
ing F{FIF-F) for any sequence FF2 over a domain. But from Theorem 2, we 
know that for a syndrome sequence, such a polynomial T must be the error lo- 
cator polynomial multiplied by some non-zero constant. Hence, after applying 
Algorithm MR to the sequence of syndromes, we simply divide the output poly- 
nomials F and F{FFF-F) by the leading coefficient of F, thus obtaining Fe and 
F Ff,. The algorithm has quadratic complexity. We then proceed as in the clas- 
sical (field) case: we compute the error locations as the roots of Fg (which are of 
the form Fi^llllll and the error magnitudes as Fi. = Fe{Fi.)F{Fg{Fi.)Fi.). 

This algorithm can decode, in particular, BCH and Reed-Solomon codes over 
the /^adic integers of [1]. 

5 Decoding over a Local Ring 

We now assume that T is a local ring with maximal ideal F and residue field 
F = FFF . We extend the canonical projection F ^ F to a projection F[F ] 

F [F ] and denote the image of F — F[F] under this projection by F. 

When T is a Hensel ring we can characterize the monic minimal polynomials 
of the syndrome sequence: 

Theorem 3 If F is a Hensel ring and TilllllTn are distinct then 



Mm{F-FF) = 



n< 



i. - j) ■■ j i^=0 for some j 




On Efficient Decoding of Alternant Codes over a Commutative Ring 



177 



Our decoding algorithm is based on the following result: 

Theorem 4 If is a local ring and are distinct then 

e Min( 1) and for any Min( 1) we have 

W 

= e = ( — ij) 

i=i 

We can now develop a decoding algorithm for alternant codes over a local 
ring, provided we have an algorithm that computes a monic minimal polynomial 
for . The latter can be achieved for sequences of syndromes of BCH and 
Reed-Solomon codes over (see [3], [8]), over finite local commutative rings 
(see [2]) and for any sequence over a finite chain ring (see [5]). A method of 
computing the error once we have a monic minimal polynomial is discussed in 
[2,3]: (i) the roots of in are found and (ii) the ones that differ from some i 
by a zero-divisor are selected. Our method searches for the roots of [ ] 

among and is therefore more efficient. 

Algorithm 1 (Decoding A.(a, y, d) over a local ring) 

Input: = ( 1 n) containing at most = ( — 1) 2 errors, where 1. 

Output: = ( 1 n), the nearest codeword. 

0. Let = 1 - 2 . 

1. Compute the syndrome sequence as { o -i ■ If = 

(0 0), return . 

2. Compute a monic minimal polynomial for the sequence 

3. Compute the roots of~in . Then the errors occurred at posi- 

tzons }_ yj . 

4- Compute e = ri7=i( - ij)- 

5. Compute ' and e = { e ) 

6. Set = (0 0) and for =1 , put i. = e( ij) ( 'A ij) ij). Return 



Algorithm 1 can decode, in particular, BCH and Reed-Solomon codes over 
Galois rings. 

Acknowledgement. The authors gratefully acknowledge financial support from 
the U.K. Engineering and Physical Sciences Research Council (EPSRC). The 
second author was supported by EPSRC Grant L07680. 

References 

1. A. R. Calderbank and N. J. A. Sloane. Modular and p-adic codes. Designs, Codes 
and Cryptography, 6:21-35, 1995. 

2. A. A. de Andrade and R. Palazzo, Jr. Construction and decoding of BCH codes 
over finite commutative rings. Linear Algebra and its Applications, 286:69-85, 1999. 




178 



Graham II. Norton and Ana Salagean 



3. J. C. Interlando, R. Palazzo, and M. Elia. On the decoding of Reed- Solomon and 
BCH codes over integer residue rings. IEEE Trans. Inform. Theory, 43(3): 1013- 
1021, 1997. 

4. G. H. Norton. On the minimal realizations of a finite sequence. J. Symbolic Com- 
putation, 20:93-115, 1995. 

5. G. H. Norton. On minimal realization over a finite chain ring. Designs, Codes and 
Cryptography, 16:161-178, 1999. 

6. G. H. Norton. On shortest linear recurrences. J. Symbolie Computation, 27:323-347, 
1999. 

7. G. H. Norton and A. Salagean. On the key equation over a commutative ring. 
Designs, Codes and Cryptography, 1999. To appear. 

8. J. A. Reeds and N. J. A. Sloane. Shift- register synthesis (modulo m). SIAM J. 
Computing, 14:505-513, 1985. 




Reduced Complexity Sliding Window BCJR Decoding 
Algorithms for Turbo Codes 



Jihye Gwak‘, Sooyoung Kim Shin^, Hyung-Myung Kim^ 

'Satellite Communications System Department, Electronics and Telecommunications 
Research Institute, 161 Kajong-Dong, Yusong-Gu, Taejon, 305-350, Korea 
1 ihye@etri . re . kr 

^Satellite Communications System Department, Radio & Broadcasting Technology 
Laboratory, ETRI, 161 Kajong-Dong, Yusong-Gu, Taejon, 305-350, Korea 
dssv@satnet . etri . re . kr 

'Department of Electrical Engineering, Korea Advanced Institute of Sience and 
Techonology, 373-1 Kusong-Dong, Yusong-Gu, Taejon, 305-701, Korea 
hmkimQpanda . kai s t . ac . kr 



Abstract. In decoding the turbo codes, the sliding window BCJR algorithm, 
derived from the BCJR algorithm, permits a continuous decoding of the coded 
sequence without requiring trellis termination of the constituent codes and uses 
reduced memory span. However, the number of computations required is 
greater than that of BCJR algorithm. In this paper, we propose an efficient 
sliding window type scheme which maintains the advantages of the 
conventional sliding window algorithm, reduces its computational burdens, and 
improves its BER performance by allowing the window to be forwarded in 
multi-step. Simulation results show that the proposed scheme outperforms the 
conventional sliding window BCJR algorithm with reduced complexity. 



1 Introduction 

The decoding of turbo codes is performed frame by frame assuming that the receiver 
knows the final states of each frame [1], [2]. It means that the turbo encoder requires 
trellis termination. However, the trellis termination of turbo codes is non-trivial unlike 
convolutional codes [3]. 

The sliding window (SW) BCJR algorithm for continuous decoding is proposed by 
Benedetto et al. which does not divide information bits into blocks and does not 
require trellis termination [2]. The SW BCJR algorithm has an advantage in the 
application where it requires a small delay such as speech transmission with short 
frames, since trellis termination usually requires another redundancy. However, the 
computational complexity of SW BCJR algorithm is even greater than that of the 
BCJR algorithm which also suffers from high computational burdens. Therefore it is 
essential to reduce the computational complexity of the SW BCJR algorithm. 

In this paper, we propose an efficient sliding window type scheme which reduces 
the complexity by forwarding the window by C steps, where C > 1. The proposed 
algorithm resulted in enhanced performance compared to the SW BCJR algorithm 
with the same complexity. 



M. Walker (Ed.): IMA - Crypto & Coding'99, LNCS 1746, pp. 179-184, 1999. 
© Springer-Verlag Berlin Heidelberg 1999 



180 



Jihye Gwak, Sooyoung Kim Shin, and Hyung-Myung Kim 



In section II we describe SW BCJR algorithm compared to BCJR algorithm, and in 
section III we explain an efficient sliding window type algorithm to overcome the 
complexity problem of conventional SW BCJR algorithm. Section IV is dedicated to 
simulation results for different decoding algorithms. Finally conclusion is drawn in 
section V. 



2 BCJR Algorithm and SW BCJR Algorithm 

The BCJR algorithm estimates a posteriori probability (APP) of information bit to 
obtain log likelihood ratio (LLR) [1]. In this paper, we do not detaily describe the 
numerical expressions for LLRs, and we simply adopt the expressions used in [2]. 
LLRs typically represent soft outputs, which are used in an iterative decoding process. 
The BCJR algorithm calculates (5, ), (5; ) by forward and backward recursion 

respectively [2], and /^.(c) whenever the channel outputs of codewords are received 

[2], where k is a time index, 5, represents encoder state, and c is a codeword which is 
determined by encoder state and information bit. Then APPs can be obtained from 

The BCJR algorithm requires the whole sequence to be received before the 
decoding process is started, and trellis terminations of each frame is also required in 
prior to initialize the backward recusrion as shown in Fig. 1 . Moreover, it is necessary 
for the BCJR algorithm to store all the values of (5, ) and (c) in one frame. 

1. compute a„~ 

► 

— I 1 ► 

0 N 

M 

2 . compute ~ 



3. compute APPs from 0 to N 

Fig. 1. The steps of the BCJR algorithm 



In 1996, the SW BCJR algorithm is proposed by Benedetto et al. [2] which avoids 
the problem of trellis termination and operates on a fixed memory span. Forwarding 
the window of width D, the SW BCJR algorithm gives LLRs, but does not divide the 
received sequence into blocks, as shown in Fig. 2. 

The SW BCJR algorithm initializes the backward recursion at time k using the value 
of (S-), and performs backward recursion from time k-1 back to time k-D and then 

computes APP at time k-D. After calculating APP, the SW BCJR algorithm forwards 
the window by 1 step and repeats the same operations at time k+1 to obtain APP at 
time k-D+1. Therefore the decoding process is not performed by frame basis, and also 
the trellis termination is not necessary. Moreover, the SW BCJR algorithm uses less 




Reduced Complexity Sliding Window BCJR Decoding Algorithms for Turbo Codes 



181 



memory because it stores {S - ) s and (c) s for a corresponding window instead of 
a whole frame. 




k-D k-D+1 k k+1 



time 



1. compute Oi^, 



2. compute 

3. compute APP at time k-D 

Fig. 2. The steps of the SW BCJR algorithm 



3 Reduced Complexity SW BCJR Algorithm 

The numbers of computations of (S - ) and (c) are equal both in the SW BCJR 

and in the ordinary BCJR algorithms, but the required computations of of the 

SW BCJR algorithm are D times as many as those of the BCJR algorithm. 

The SW BCJR algorithm performs backward recursion from k to k-D to obtain 
Pk-D (^i ) ’ window of width D forwards by 1 step, as shown in Fig. 3-a). 

In this paper, we propose an efficient sliding window type scheme which reduces the 
number of computations of (5, ) by forwarding the window by C steps (Fig. 3-b)). 

If the proposed algorithm uses the window of the same width as that of the SW 
BCJR algorithm and C is greater than 1, the complexity of the proposed algorithm 
reduces but the performance degrades. This is because the initialization of backward 
recusrion is less accurate than in the original SW BCJR. That is, the more backward 
recursion, the more accurate value of /3j,(5;) could be achieved. With the same 

computational complexity, however, the performance of the proposed algorithm can 
be enhanced. It should be noted that we can lengthen the window width of the 
proposed algorithm compared to that of the original SW BCJR, resulting the same 
computational complexity. 

Let us compare the complexities of the BCJR algorithm, SW BCJR algorithm, and the 
proposed algorithm. These algorithms have the same numbers of computations for 
ctj, (S - ) and (c) , but the different numbers of computations for (S, ) . The 

required computations of (S; ) of the SW BCJR algorithm are D times as many as 

those of the BCJR algorithm, and the number of computations of the proposed 
algorithm is D/C times as those of the BCJR algorithm as shown in Table 1, where kg 

represents parameter of (kg, rig) convolutional codes, and is the number of states. 

In addition, the SW BCJR algorithm and the proposed algorithm have the same 
memory requirements, which are D/N times as many as those of the BCJR algorithm. 
Table 2 shows the memory requirement of each algorithms. 




182 



Jihye Gwak, Sooyoung Kim Shin, and Hyung-Myung Kim 



k-D k-D+1 



k k+1 



time 



a) SW-BCJR algorithm 



k-D k-D-fC k k+C 



time 



b) proposed SW-BCJR algorithm, C=3 



Fig. 3. The movement of window 



Table 1. The number of computation to obtain (5; ) 





the number of additions of 
2*^" numbers each 


the number of 
multiplications 


BCJR 


Ns 


/V^x2‘“ 


SW BCJR 


DxNg 


DxN^x2'‘" 


proposed 


— xNs 
C ^ 


D 

— xN, x2 " 
C * 



Table 2. The memory requirement of each algorithms 





the number of (c) to be 
stored 


the number of (S - ) to be 
stored 


BCJR 


NxM 


NxN^ 


SW BCJR 


DxM 


DxNs 


proposed 


DxM 


DxN^ 



4 Simulation Results 

In this section, we have estimated the performances of the proposed algorithm in 
comparison to the SW BCJR algorithm. We carried out Monte Carlo simulations 
using rate 1/3 turho encoders over AWGN channel. Two types of equal component 
codes were employed, generator polynomials {7,5 }g with K=3 (code 1), and (17, 15 }g 
with K=4 (code 2). The simulation results are shown in Fig. 4 and Fig. 5. 

In the figures, the ‘SW’ denotes sliding window BCJR algorithm, ‘PSW’ denotes 
proposed algorithm, and D, C represent window width and window forwarding step 






Reduced Complexity Sliding Window BCJR Decoding Algorithms for Turbo Codes 



183 



size respectively. The number of iterations in the decoding process is 2. The width of 
window used refered to the decoding depth of convolutional codes, which is about 5 
times of the number of registers in encoder [4], [5]. 

Fig. 4 shows the performance comparison of the proposed algorithm for Z)=10, 
C=5 and D=15, C=5 to those of the SW BCJR algorithm for D=3, 10 with K=3. The 
SW BCJR algorithm with D=3 and the proposed algorithm with Z)=15, C=5 have 
same complexity. The proposed algorithm with Z)=15, C=5 shows the best 
performance. 




-PSW, D=10, C=5 
-PSW, D=15, C=5 
- SW, D=3 
-SW, D=10 



Fig. 4. BER performance for various decoders of codel 



Fig. 5 compares the performances of the proposed algorithm with those of the SW 
BCJR algorithm for K=4. 




-*-PSW, D=15, C=5 
PSW, D=20, C=5 
SW, D=4 
-^SW. D=15 



Fig. 5. BER performance for various decoders of code 2 



184 



Jihye Gwak, Sooyoung Kim Shin, and Hyung-Myung Kim 



5 Conclusions 



In this paper, we propose an efficient sliding window type scheme which maintains 
the advantages of the conventional sliding window algorithm, reduces its 
computational burdens. We can improve performance and reduce complexity 
simultaneouly with proper choices of C and D. 



References 



1. C. Berrou, A. Glavieux, and P. Thitimajshma, „Near Shannon limit error-correction coding 
and decoding : Turbo-codes,“ in Proc. ICC, pp. 1064-1070, Geneva, Switzerland, May 
1993. 

2. S. Benedetto, D.Divsalar, G. Montorsi, and F. Pollara, „Soft-output decoding algorithms for 
continuous decoding of parallel concatenated convolutional codes," in Proc. ICC, pp. 112- 
117, Dallas, U. S. A., June 1996. 

3. P. Robertson, „llluminating the structure of code and decoder of parallel concatenated 
recursive systematic (turbo) codes," in Proc. GLOBECOM, pp. 1298-1303, San Francisco, 
U. S. A., Nov. 1994. 

4. F. Hemmati and D. J. Costello, Jr., „Tiuncation error probability in Viterbi decoding," IEEE 
Trans. Commun., vol. 25, pp. 530-532, May 1977. 

5. S. Lin and D. J. Costello, Jr., Error Control Coding. Prentice-Hall, 1983. 




Advanced Encryption Standard (AES) - 
An Update 
[Invited Paper] 



Lars R. Knudsen 
University of Bergen, Norway 



Abstract. On January 2, 1997, the National Institute of Standards and 
Technology in the US announced that they intend to initiate the devel- 
opment of a new world-wide encryption standard to replace the Data 
Encryption Standard (DES) . A call for candidates was announced world- 
wide with the deadline of 15th June 1998. Totally, 15 candidates were 
submitted from the US, Canada, Europe, Asia and Australia. The au- 
thor is the designer of one of the candidates, and a codesigner of another 
proposal. 

The AES proposals are required to support at least a block size of 128 
bits, and three key sizes of 128, 192, and 256 bits. The hope of NIST is 
that the end result is a block cipher “with a strength equal to or better 
than that of Triple-DES and significantly improved efficiency.” 

In March 1999 the first AES workshop was held in Rome, Italy. August 9, 

1999, NIST announced the selection of five candidates for a final round of 
analysis. After a second AES workshop to be held in New York in April 

2000, NIST intends to make a final selection of one or two algorithms for 
the Advanced Encryption Standard during the summer of year 2000. 
The five algorithms selected to the final round are MARS, RC6, Rijndael, 
Serpent, and Twofish, which also are the candidates predicted by the 
author in a letter to NIST. 

The winner(s) of the AES competition are likely to be used widely and 
for many years to come. Therefore, it is important that a candidate is 
chosen with a high level of security not only now, but also in 25 years time 
or more. It is of course impossible to predict which of the five candidates 
will survive attacks for such a long period, but this also speaks in favor 
of the choice of a candidate with a large security margin. 

All AES candidates are iterated ciphers, where a ciphertext is computed 
as a function of the plaintext (and possibly some previous ciphertexts) 
and the key in a number of rounds. In the call for candidates NIST did 
not allow for a variable number of rounds. Although NIST allowed for 
possible “tweaks” (small changes), at the end of the first round (April 15, 
1999) none of the designers changed the number of rounds of their algo- 
rithms. In fact of the five final ones, only the MARS designers suggested 
a modification to overcome a small key-schedule problem. 

In our opinion, the number of rounds fixed by some of the designers is too 
small, and the algorithms will prove inadequate for long-term security. 
We believe that this narrows down the five candidates to only a few. 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 185-185, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




The Piling-Up Lemma and Dependent Random 

Variables 



Zsolt Kukorelly 



kukorellOisi . ee . ethz . ch 



Abstract. 



modulo 



1 The Piling-Up Lemma 

In a linear cryptanalysis attack on iterated block ciphers, one identity important 
for the computation of the probability of success of the attack is Matsui’s Piling- 
up Lemma, which states that for independent, binary-valued random variables 

1 „, the probability that i „ = 0isl 2-1-2”“^ [ j = 0] — 

1 2) [4]. Using the notation introduced by Harpes, Kramer and Massey [2], this 

can be written as ( i «) = "=i ( i), where ( ) = |2 [ =0] — 1| 

is the imbalance of the binary-valued random variable 

Another important figure in this attack is that of an input/output sum. 
An -round input/output sum (I/O sum) is an expression of the form ^ = 

o( ) — i{ ( )), where is the plaintext, ( ) is the output of the round 
of the cipher, and o> i are binary- valued balanced functions, that is, functions 
which take on each of the values 0 and 1 for half of their arguments. 

Now one can also define imbalances based on conditional probabilities. For 
an -round I/O sum ^ one defines 

— the key-dependent imbalanee as the imbalance of ^ given fixed values 

of the round keys, i.e., ( ^■"*| i i) := 2 [ ^ = 0|( i /) = 

( 1 i) ] — 1 , where i i are the round keys; 

— the average-key imbalance as the expected value, taken over all round keys, 

of the key-dependent imbalances, i.e., ( ^■■■*) := [ ( ^■■■*| i i)]. 

It turns out that, provided some assumptions, the probability of success of an 
attack using linear cryptanalysis, that is, the probability that the key found is 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 186-190, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




the right one, is approximately proportional to the square of the average-key 
imbalance of the ( — l)-round I/O sum used in the attack [1,2]. Thus, it is 
important for the cryptanalyst to find balanced functions o and r-i such that 
( is as large as possible. 

But it is usually infeasible to compute ( as it requires the computa- 

tion of ( — 1) for all values of and all values of the round keys. An efhcient 
way out of this dead-end can be found in [1,2]: define i = i_i( ( — 1)) — 
*( ( )) ~ i{ i), where i and ^ are binary-valued functions the first two 

of which are balanced. Then i r-i = 

and ( 1 r-i) — ( Thus, finding i r-i such that 

( 1 r~i) is large assures that the average- key imbalance of the corre- 

sponding I/O sum is large. 

However, for the same reason as for ( it is also usually infeasible 

to compute ( i r-i)- If i r-i were independent, then, by the 

Piling-up Lemma, 

n 

(i .-i)= ( .) (1) 

1=1 

The right side of the equation can be computed much more easily because i 
involves only the input, the output and the round key of a single round. The 
problem is therefore reduced to finding i r-i independent. This is very 
difficult in practice. Thus, what one usually does is to assume that i r-i 

are independent and to apply (1). We call that the piling-up approximation. 
The ignorance whether the piling-up approximation is valid or not, i.e., 

whether ( i) is a fairly accurate or a very bad approximation of ( i 

r-i), has never prevented anyone of using linear cryptanalysis. It is important 
only in the computation of the probability of success and, if the approximation 
is valid, it gives the cryptanalyst a clear conscience. 

2 The Piling-Up Approximation Is Dangerous 

In a sense, the piling-up approximation can be strongly misleading, as shows the 
following lemma. 

Lemma 1. For any binary-valued random variables i n, we have 

( l) — ( n)- -”(( -1)+ ( 1 .))” (2) 

with equality if and only if ( i) = ^(( — 1) + ( i „)) for all . 

Moreover, equality can occur in (2). 

Proof. The steps in the proof are the following (details can be found in [3]): 

1. ( i)+ ( 2 ) — !+ ( 1 — 2 ) for all binary- valued random variables 1 

and 



2 





Fig. 1. For — 2, all points on or above the line are possible. 



2. by induction, ( i) H h ( n) - ( - 1) + ( i n) for all 

binary- valued random variables i 

3. because i 2 n ~ (Si±— for any nonnegative numbers 1 „ 

with equality if and only if all i are equal, we have 

( 1 ) — ( n)- -”( ( l) + h ( n)r 

- -"(( -i)+ ( 1 „)r 

with equality everywhere if and only if ( i) = i(( — 1)+ ( 1 „)) 

for all ; 

4. equality can occur in (2). — 

Figure 1 visualises the inequality (2). The Piling- up Lemma says that if the 
random variables are independent, then we are always on the diagonal. Inequality 
(2) says that, for — 2, all points on or above the solid line are possible. 
Hence, for dependent random variables, the product of the imbalances can differ 
considerably from the imbalance of the sum and thus (1) is sometimes very far 
from being satisfied. 



3 The Piling-Up Approximation Is Applicable 

Fortunately for the cryptanalyst, on average, things are different. 



3.1 Two Random Variables 

Consider two random variables 1 and 2 defined on some sample space f?. Let 
17 have an even number 2 of elements. (The case |17| odd is not interesting for 




our purpose.) Then ( i) and ( 2) are of the form 1 and 2 , respectively, 
where 1 and 2 are integers, 0 — 1 2 — ■ 

Now fix 1 and 2 and consider all different pairs of random variables 
( 1 2)) independent or not, for which ( j) = ^ and ( 2) = 2 ■ (Two 

random variables are different if they differ as functions from f? to -0 1 — not 
if their probability distribution is different.) Then compute ( 1 — 2) for each 

pair ( 1 2). By some counting arguments, the average of ( 1 — 2) is equal 

to ( 1 2), where 

( >--=-fW7 ( 

V m=i+j 

and ( ) := ( ) if 

One shows that ^ — ( ) — ^ + (!+()) for all , where 

lim,3^^ ( ) = 0 . This means that the average of ( 1 — 2) is lower-bounded 

by ( 1) ( 2) and upper-bounded by ( 1) ( 2) + (1 + ( )) • Now if 

the sample space J? on which 1 and 2 are defined is large, then the above 
average of ( 1 — 2) is close to ( 1) ( 2)- This is a first indication that the 

piling-up approximation might be valid after all. 

The same average of 1 — 2) is equal to (1 2), where 



( ):= 


1 o / 

^ f (2 ( ( 


+ (( - ( 


0 - 










and ( 
fii 1 ill 


) := ( ) if . One has ( 

V , that is, the average of ^ ( 1 — 


)= 2 i^ + #T 

'1 1 i 2U 

2 i?-l ' 2^-1 


T f 

1: 


1 

2^-1 

2)- 


1 ( 2( 

2^9-1 1 V 


1) + 2)(. If gets large. 


this is approximately 


equal to 



1) 2). Thus, we can conclude: 

Proposition 2. Let f? be some sample spaee with 2 elements. Then, if is 
large enough, ( 1— 2)~ ( i)( 2) for virtually all binary-valued random 

variables 1 and 2 - — 



2 



(( 



3.2 More than Two Random Variables 

For more than two random variables, we can compute similar averages re- 
cursively. Take some integers 0 — 1 n — and consider all -tuples 

( 1 n) of random variables such that ( 1) = 1 ( n) = n 

Then compute ( 1 „). Denote by ( | 1 „) the empirical proba- 
bility that ( 1 „) = given that ( 1) = 1 („)=„; 

denote also by ( 1 „) (resp. ( 1 „)) the average of ( 1 „) 

(resp. of 1 „)), that is, ( 1 „) = ( ^ ( | 1 „) and 

(1 n) = ( fc ^ ( I 1 n)- One shows then that 




1 



- ( I 

- (l 

- (l 



n) = ( fc (I n) ( I 

)=( k ( n) ( h 

) = U ( ") ( 1 1 



l)l 



n— l); 
n— l)' 



By induction, one also shows that 



_ / \ n. 

I, 1 nj 1 n 5 

“ ( 1 n) — 1 n " + ( — 1)(1 + 

function as above with lim^_,_» ( ) = 0; 

_ ( \ _ 1 I 2i3 *1 f 

11 n) 2i 9-1 ^ 2i9-1 79^ t 1 n- 



)) 



where 



1 - 



2 t 9-1 



is the same 

n-l) ^ ■ 



Again, if is large but i „ fixed, then ( i n) ~ i n ", and 

from the recursion for follows that ( i „) ss ^ ^ Thus, if is 

large, then the average of ( i „) is close to ( ( 9) and the average 

of 1 „) is close to ( i). Hence, we have: 

Theorem 3. Let fl be some sample spaee with 2 elements. If is large enough, 

then ( 1 „) Ks ( j) for virtually all binary-valued random 

variables 1 „ defined on fl. — 



3.3 Implication for the Piling-Up Approximation 

Let be the text blocklength of the cipher and be the length of the round keys. 
The plaintext and the round keys i are usually considered to be independent 
random variables uniformly distributed on A) 1 -^ and -0 1 — , respectively. Be- 
cause the round functions yield an invertible function when one fixes the value 
of the round key, the output ( ) of the round of the cipher is also a random 
variable uniformly distributed on -0 1—". Thus, ( ( — 1) ( ) i) is a random 

variable with values on -0 1— and i = i_i( ( —1))— i{ ())— i{ i) is a 
binary- valued random variable with sample space fl = -0 1—2"+^ with 2^2n-i-fe-i 
elements. In practical ciphers, = is fairly large. Thus, by the above 

Theorem, ( 1 r-i) ~ ( i) in virtually all cases, that is, the 

piling-up approximation is valid. 



References 



Cryptanalysis of Iterated Bloek Ciphers 



in Cryptology - Euroerypt’95 



Advances 



On The Validity of Some Hypotheses Used in Linear Cryptanalysis 



Cryptology - Euroerypt’93 



Advances in 




A Cryptographic Application of Weil Descent 



*1 



2 



r r rr 

s . galbraithOrhbnc .ac.uk 
r r r r r 

nigel.smartOhpl . hp . com 



Abstract. 



r r 

r r 



r 

r r 
r . 



1 Introduction 



y 1 yp p 1 

i pp i ip i 

n > i P P i 
i k ip i 

i ik y 

i y i 



pi 1 11 

2 i C 

3 i 



1 y 



1 



1 1 
i P 



PP i 

i 



P P 



1 1 1 

i P 
i P 



A E 



1 1 

k 

Jac C 



i y A 



E qn Jac C q 

n i i X 



p IZ 

ip i 

X p 



1 p p 



1 



ip 1 
i p p 

i ip i 

i 2 3 i 

i i i i i 



1 y 



1 p 



1 1 y 

i i 



y p i y k 



1 p 



1 1 1 

P i i 

i -k i 

yp P i 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 191-200, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




r 



1 

i i 

yip X p 

2r^ ip i 

i 

P 



1 p 1 

i X p 

E 2^™ 



xp 1 



1 1 1 



3 

PP i 

i i i 



ip i i i 

- xp i i i 



y xp 

k p i 
k p i 

i i p i 



i p p 

ip i 

xp i y i 

P i y xp i i 
p i n 



P 



i 

n y 



2 Curves, Divisor Class Groups, and Jacobians 







1 y 


1 




2 


i 




curve C 


k i 


P - i 


i y i i 


: i 




i i pi 


i 


P 


i 


i i i 


i 


i 


i 




PP i 


i i 


C/k i 


k 


- P P 


- i 


i P 


y i i 


k 


yC 


i 


- i C 


i i 


X 3 i 


i 




k 


p C ^ C 








genus g 


- i 


i i p i 


i 


i 


y 


geometric genus 


i 


i i i i 


i 




i i 


Jacobian variety Jac C 


- i 


^ 9 


k i i 


i y 


k \ i g 


i 


i i 


9 


y i p 




i P 




i 





Proposition 1 Suppose C is a non-singular curve over a field k with a point P 
defined over k. The following properties hold. 

1. (Canonical map from C into Jac C ) There is a canonical map f^ C 
Jac C which takes the point P to the identity element of Jac C . 

2. (Universal property) Suppose A is an abelian variety over k and suppose 

there is some mapping of varieties f C ^ A such that f P a, then 

there is a unique homomorphism Jac C ^ A such that (f> ip f^ . 

i i p Pic). C i p z i i 

C i k piipii Ci -i 

k i fc-p i P Jac C C i pi 




r 



r 



1 1 






1 


1 


1 P 1 


1 1 


i i p 






i 


i 


i 




i i p 


i 




i 


i 


i i i 




i 


i 




P 


i 


C 


i i 


) i i i 






P i 


i i 






i i y A 




k i 


simple i i 


P P 


i 


i i 


k i 




i y i absolutely simple i 




i 


i 


k 


i i 


i P 


isogeny i 


ppi 


i 


i i p 


i 




P 


P i i 


i k 




i P 




i 


ii y 




2 




i pi 


y 


i i y 


i i 


P 


i P 


i i i i 




y 


p 


i 






i pp i 


i 




i p p 


y 


P 


PP 


simple i 




i y 


i i 


d 


i 


C 


f C^A i 


i 


p p 


P 


(f) i i 


i 


y 


i 




p 


C i 


A p 


i i 


i 




p 


Jac C 


A i i 


i y 


A i 




A 


i i 


P 


P V' i 


i 


A 


i y 


Jac C 






i 





Proposition 2 Let A be a simple abelian variety of dimension d over a field k. 
Suppose we have a map f C ^ A from a non- singular eurve C to A. Then the 
genus of C is at least d. Furthermore, g C d if and only if A is isogenous to 
the Jaeobian of C. 



3 Weil Descent 





k 


i 




K 




i X i 


X 


P 




k 


2 


K 


2" k 2” 




i 




i P 






PP i i 


ip i 


K 






i 


i 


i 


E K 


i y P 2 


A Pi 


i 


Pl,P2 


E K i 


E 


i 


k i 


i 


i 


i i 








i 


i i 


i 


i 


y p 


y 


















Weil restrietion of sealars 


E 


K i i 




i 


i n 






k 








P 






xi i 


i y p 




iy 


WK/k 


E 






i 


i 




i i 


k 




i K 


k xp 




i 






E K 


i 






i 


k xp 


i 






ip i 




i 


i 




i 


K k 


i n 


2n 


i 


i i 


y i 






P^Kjk E 


i 




P 






ip i 





n 

K 2-- 
E 

i P 

i z i z 

i yp pi 



i i y WK/k E 



pi X p 

i 

i i 2n 

E K 
i i ki 

P i 




r 



r 



Lemma 1 If E is defined over k then W^/k E E k — V , where V is an 
abelian variety of dimension n — . If n is eoprime to ffE k then we have, 

V P- W^ik E Tr^ik P O- 

where the trace is computed using the mapping from W^/k E to E K . 

k i i 



Proof. E i fc 1 1 y i 

y i P i i i y i 

i y B k WK/k E i i 

i i i i i p i 



WK/k E i V,cr rj ,■ ■ ■ V ?? i 

i y V WK/k E i i 

i y Vi i 

i p i ffE k i y V k 

y i i B 



i y WK/k E 
i i 

E-B 

i p i 

i p i E/K 



i y WK/k E i n 

i i i i i E k 

i P 



A i 

i i p 

Definition 1 Define A by 



1 1 
E K 



1 y 
y i 



i) If E is not defined over k, then set A WK/k E . Hence i A n. 

ii) If E is defined over k, then set A V, from Lemma 1. Hence i A n — 



xp 

i i ip i i 

i i pi 

i y A 

y i k 

i ip i 

i i y ^ k 
k yi A C 

y i P P y 
Jac C~ A C~i 

p i Pi P 2 
pi A k i i 






i i i D\ D 2 i Pic^ C k 

pi C Di Pi i y 

£>2 i p Di Picl C 



i i y ^ ip i 

i i i y p i i i y 

A i p i 

i k ip i 

ip i E K 

X p i y i C 

k-p 1 Pq pi i iy A 

i i ppi i i i 

i i C 

ip i E K p 

y pi y P - k 



pp 1 y 



1 



1 

i X 



1 P 



PP y 



2 i 

3 i 



y 

y p 
y 



A 



k p i A i i 

i X 



C 



1 1 




r 



r 



4 Pulling Back Along jp 



9 k 
A pp Po i 
P / 

y p 

i i i 
i i Deff i 

P i 

Proposition 3 



i 




ppi xp 




xp 


i i 


y c- 




4> 


c 


A 


ppi 




C 


i 


i i y 


fc-p 


i 


C i 








i i 


i y i 




i 


i y 


A 








Picl C 


i 




•D Deff ■ 


-dPo 






Deff Et 


1 Qi i 




d 




Qi 


p 


i 


C k 






k 








y 


i d - 


- 9 




k 


i 


y 




d 







The map p PiAl C ^ A k is given by 



d 

P k^eff h Pq P ^ (f> Qi 

i=l 



where the addition on the right hand side is addition on the abelian variety A 
(which can be efficiently computed via the addition law on E K ). 

Proof. i i Deff — d Pq i C i i 

Qi - Po i p f C k ^ Pic\ C P P y 



f Q^ Qi - Po 

(f tf -f p Q. 

pi ip 



ppi Pic^ C ^ A 



Pc 



0 P Qi 

i 



1 p p 

A k i Ip i 
i p Gal k/k 





P i 




i 


i 


i 






i 




C 




ppi 




i 


i 




P 


ip i 






P 


i 


0 

k ^ 


A 




i i 






PP 


i 




- i 




P i 


C 










i 




p 






i i 


i 


P 




xp 


i 


P i 


P 


A 




i 








i 


i 


y p 




i 




P 


i 


i i 






















i 




d 


i p i 


^i> 


• • • 5 


Qd- 


- C k 


y 


i 








P i i 




i 


Qi 


Xi,yi 




Xi Vi 




i 




P 




P i 






i yA i 




P (P 




i E 


^ Qi 


i 


,...,d 


i 






i 


P 


i 




i 




i 


d 


i 


i 2d 


k 






y 


i 


P 






A pp i 






P i 


T 

-k- 1 




i 




i 




i 








Ti 






i 




i 




P 


i A 




i 


i n 


i 


i 




y 




n 




i 






















i 






d n 


i 


i 


2d 


k 




i 




i y 


V 






d> 


n xp 




i 




i 


y 


i 


i 




d — n 


X 




P 




d n 










d 


n 2 


i i 


P i 




i 


i 


y i P 




P 


i 


Qi i 






i 


- 


i 


P 


i 


C 






i 


i i 


D 


2-^i— 


1 Qi 


-dPo 


i i 


ic 




i 


P 


xp 




i 


p i P 




A k 






i 


P i 






i yV 


i i 


i 


i 




i i 


D 





a 








r 




r 








i i 


P i 


i i 


i i 


- i i 


P 


i 


p i - 


y i i 






y 


P 


i i 


i 


i 


i 


i i y 












P 




p 






P i Pi 


P 2 


i i 


ip i 


i 


i 


p 






i i 


i Di 


D2 i i 


c 


i %[} i 


p 


P 


i k 




xi 


i i 


i 


-D 3 i k 


















D 2 


A D\ Ds- 






h 


# 


i ° C i 




P 


i p y 


i 


i i 


i 




i 3 




2 


PP 




P i Pi 


P 2 




ip i 


p 


■ i 


P 


k 




P i 






i i 


h 


y i 


i 


P 


P 


i 


y i 


i - 




P i 


i 


i 


i 




i y 




A i 




i 


i i 


Picl C 


















y 


y 


P 


i 


i 


P 


k 


i 




C i 


i 


pi 








5 An Example 












i 


X 


P i 




i 


i 




k 2 - 


K 




K 


yp 


P i 




i 


k i 


n 




P i 




2 m 


P i 


i i i 


i 


n+l 




n 
















- / 


X — 




-1 


X 




i 




K k 












X 


P k 




i n 


i pi 


i y 






i 


K k 




0 ^ 02 0 






- K i 


i 


i 




i y 


0 02 


9^ 9^ 


i 


i 


ip i 






K 














y2 


XY 


b 






b - 




6 i i y 














b 


bo0 


bi0^ b20^ 


00 

CO 






y i 
















X 


xq9 


X\9^ X20‘ 


^ xs0^ Y 


yoO yi0^ 


' V29^ 


ys0\ 


xi,y 


i 


k i i 


i 




i P 




9 i 


i 




i i 


k 


-iCO, ■ ■ 


• ,X3,yo, . . 


■ ,ys- 


i i 




r 



r 



i 


i y A 




■ i i 




i y i 


- i i 


P 


i 


i 


X 


i 


p 


i 


i Ai 


i 








y P i 


i 


i y 


PP i i 






i 




P i 




i 


A i y 


P i 




i 




i 










P 




A 




y 




i p i 








Xq , X\ 


,X2,X3,yo,yi,y2,y3 ~ 


A k 




P 


i 














XQ0 


x\9^ 


X2^'^ 


X30^,yo0 


yi0‘^ 020^ 030^ -E K 




i 




i i 






ip i 






i 


A 


i 


i A - 


yp 


P 


i P i i 


i 




z 




A 






P i 


i y 


i 


y i 


i i i 


y 




i 


i 


1 i y 
















X 


p 




i A 






i yp p 












i 














Xq Xi 


X2 


X3. 






i 


i 




i y A 




i 


i y 










' yi yo^o 


t -3 

Xq 


ho 












yi yi^o 


Xq 


hi 










V < 


yi y 2 xo 


Xq 


h2 












yi ysxo 

K 


^3 

Xq 


hs 






i 


i V3 y 


ki 










i 


i i 


yi : 


y ki 








i 


i 


i y 


















f 


xl hi yoxl 


xl 


hoxl 






v~ 


















1^0 


Xq hi y2xg 


xl 


62X0 




y y i 


i i 


P2 






i 


i X Xq 


y yo 


i 
























x^^ 


6qx^‘^ h^x^^ &|x® 


hi ■ 


y i 


P i 




i 




i 


pi x,y 


rh 


i 


i 


i y 


P i 


i 


i y 


i 


i 


P i 






i 


P 




i p i 


i i y 



i y A 



P 1 1 



P 1 



A 




r 



r 



2 1 1 



bj i 



p k 3 



bi i 



X y 



bo, bi, 62 , bs 



5 ) ) 1 5 ) ) 1 ) 5 1 ) ) 5 ? ) 



: ? ? 5 5 ? ? 1 ^ 1 ? ? 5 ? 



, , , 1 p 1 11 ip 1 

60, 61, 62,^3 P 

X p i bo,bi,b 2 ,bs , , , i i 

i i y 



Cl x’^y x^'^ x^ x'^ 



i i Cl 



6 Solving the Discrete Logarithm Problem in the Divisor 
Class Group of Certain Curves 



P ip 1 



p y 1 

p p 



p 1 

i i i i 



1 y 1 P 

i i p i y 



yp iP 1 



1 y iz 11 

i - p i i 

i p i 
p xi y 



Cq 3 / 2 , C 



p q 9 



7 Open Problems and Conclusion 



1 p p 
i P 



1 p 1 














r r 










i 


p 








i 








y i 




ip 


i 


yp 


y 


i P 


i 












i P 




i 


i y 


i i 




i p p 


y PP i 






ip i 










^ i 


n > 


ip i 




P i 




PP 




i 


i 
















k 


i 


i 






i 






P i 






i 


i 


i 


i 


P i 


P 


























i 




i 


i 










i 


X 




i 


i i 


i 


i 


PP i 


i i 


P 




i 


i 




i P 






ip i 


i 


PP 


xi 


yg- 


P i 




i y 


i 






i i 


P 




i 


P 


iz 


9 i 








C 




ff 


i y 




P 


n 


i 




i 


P 






i i 






P 






i 




i 








i 


i 


y 




a 






i 


i 




i i 


n 






i X 






i 


xp 


i y y 


P i 


y 


i 


iz 


i X 


q 






9 i 


i y 






i 






k 


k 


n 


9 




ik 








fli i 




















2 i 


i 


y 




yi 






i i y ^ 






i i 


i P 










9 C 








P 


i 


n 




i 


X 


P 




i 




i i i 




i 


i 








i xp i 


i n 






xp 






xp 


i 




Ci 


i 








C 


xp i 


y i 


n 


p xi y 




i 




k 




xp 


i i 


qS 


i 


i xp i i 






ip 


i 




p iz 












i 


k 








i 




xp 




P 


i 






C 


A 


i 


i 


i 


i ki 






xp 


i 


i 


i 


i 




i 


i i y 






i 




i 


i P 






i i 


i 


C 




O ri^ 




y 


A 


X d 






xi i 






y i 


i 








i 


i 


i 


i 






i 




i i i 


y A 




n i 


i 


i 








i 






yi 




i i y 


A 


i 


i 




X p 




i 


A 




y i 




i 


n i 


i 




y 


ik 


y 


A 


i 






n 


i 


i ik y 




i 






i 


p 


i 


k 


















3 i 


i 


y 


P i 






i 


i i y 






i 




n i 


y 


i 


P 


i 


i 






i 


k 






i 


i 


i 


i n i 










i 


PP y p 


1 i 




n 


2 3 




1 p 11 y 1 

i y xp 

ip i E qr^ i n y i i p i 

i i ik y i y 

i i E g i i i ik y 

ip i i ip 

i p i i i i 

ik y ip i 2 ^ ^ 

y iz 3 i y xp i y i 

y ip i pi p 

2p pip 



ANTS-1 : Algorithmic Number Theory 



r . r r r 



r . r 



r. . J. Symbolic Computation 24 

r . . r r 

http: / /cacr.math.uwaterloo.ca/conferences/1998/ecc98/slides.html 



r . r r 



r . r r 



r r 



r . J. AMS 2 



r r . r 



r . r r 



Arithmetic Geometry . r 



r . r r r 



. 55 




Edit Probability Correlation Attack on the 
Bilateral Stop/Go Generator 



Renato Menicocci^ and Jovan Dj. Golic^ 

^ Fondazione Ugo Bordoni 
Via B. Castiglione 59, 00142 Roma, Italy 
rmenicOfub . it 

^ School of Electrical Engineering, University of Belgrade 
Bulevar Revolucije 73, 11001 Belgrade, Yugoslavia 
golicSgaleb . etf . bg . ac . yu 



Abstract. Given an edit transformation defined by the stop/go clock- 
ing in the bilateral stop/go generator, an edit probability for two binary 
strings of appropriate lengths is proposed. An efficient recursive algo- 
rithm for the edit probability computation is derived. It is pointed out 
how this edit probability can be used to mount a correlation attack on 
one of two clock-controlled shift registers. By estimating the underlying 
false alarm probability, it is shown that the minimum output sequence 
length required to be known for a successful attack is linear in the length 
of the shift register. This is illustrated by experimental correlation at- 
tacks on relatively short shift registers. 

Key words. Stream ciphers, mutual clock control, bilateral stop/go, 
edit probability, correlation attack. 



1 Introduction 

Clock-controlled shift registers are an important tool for designing keystream 
generators for stream cipher applications. Several keystream generators based 
on clock-controlled shift registers are known to produce sequences with long 
period, high linear complexity, and good statistical properties (e.g., see [1]). 
The stop-and-go clocking is particularly appreciated in practice because of its 
suitability in high-speed applications. At any time, a stop/go shift register is 
clocked once if the clock-control input bit is equal to 1 (or 0) and is not clocked 
at all otherwise. 

The bilateral stop/go generator (BSG) is a combination of two binary LFSRs, 
LFSRi and LFSR 2 , which mutually clock-control each other (see [3], [4]). More 
preeisely, a clock-control function derives two clock-eontrol bits from the states 
of the two LFSRs. Each clock-control bit is used to stop/go clock-control one of 
the LFSRs. The two clock-control bits are never simultaneously equal to zero, so 
that at each step at least one of the two LFSRs is stepped. The output sequence 
is formed as the bitwise sum of the two stop/go clocked LFSR sequences. 

No attacks on such a structure are reported in the open literature. The ob- 
jeetive of this paper is to investigate whether a divide-and-conquer correlation 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 201-212, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




202 



Renato Menicocci and Jovan Dj. Golic 



attack on one of the LFSRs is possible. In such a correlation attack, the cryptan- 
alyst would try to reconstruct the initial state of the chosen LFSR from a known 
segment of the keystream sequence by using an appropriate edit probability as 
a measure of correlation. 

For the stop/go clocking, a specific edit probability correlation attack on 
the alternating step generator is proposed in [ 2 ] . This generator consists of two 
stop/go clocked LFSRs and a regularly clocked clock-control LFSR. At each 
time, the clock-control bit defines which of the two LFSRs is clocked, and the 
output sequence is obtained as the bitwise sum of the two stop/go LFSR se- 
quences. The target of this correlation attack are the initial states of the indi- 
vidual stop/go clocked LFSRs. 

Problems to be addressed in this paper are how to define the edit proba- 
bility, how to compute it efficiently, and how to estimate the known keystream 
sequence length required for a successful correlation attack. The fact that the 
first binary derivative of the BSG output sequence is bitwise correlated to the 
first binary derivative of the output sequence of each of the stop/go clocked 
LFSRi and LFSR2 suggests that a divide-and-conquer attack may be possible. 
The edit probability is based on an edit transformation taking into account the 
stop/go clocking in the BSG. By introducing a suitable partial edit probability, 
a recursive algorithm for computing the edit probability is derived. 

Accordingly, a correlation attack on LFSRi based on the edit probability is 
proposed. More specifically, this edit probability is defined for two binary strings 
of appropriate lengths: a given input string corresponding to the output sequence 
of LFSRi when regularly clocked and a given output string corresponding to 
the first binary derivative of the output sequence of the BSG. The (random) 
edit transformation consists of the stop/go clocking as in the BSG of the given 
input string X and a purely random binary string V (corresponding to the 
unknown LFSR2 sequence) according to X and an auxiliary purely random 
and independent binary clock-control string R, of the bitwise addition of the 
two stop/go clocked strings, and of taking the first binary derivative of the 
combination string. The auxiliary binary clocking string R is introduced in order 
to enable a recursive computation. The edit probability is then defined as the 
probability that a given input string is transformed into the given output string 
by the described random edit transformation. 

In the proposed correlation attack, for every possible LFSRi initial state, 
an input string of sufficient length is generated and the edit probability for a 
given output string is computed. The correct LFSRi initial state is then likely 
to belong to a set of states with the associated edit probability close to being 
maximal. This attack can be successful only if there is a sufficient statistical 
distinction between the probability distributions of the edit probability when 
the input string is guessed correctly and randomly, respectively. By computer 
simulations, for an appropriate missing event probability, the underlying false 
alarm probability is approximated by an exponentially decreasing function of the 
string length. If L denotes the common length of the two LFSRs, the minimum 




Edit Probability Correlation Attack 203 



output sequence length required to be known for a successful attack is then linear 
in L. The time complexity of the attack is then estimated as 0 ( 2 -^+^ 

In Section 2, a more detailed description of the BSG is provided. The edit 
probability for the auxiliary clocking string and the recursive algorithm for its 
efficient computation are presented in Section 3. The underlying false alarm 
probability is estimated in Section 4 and the corresponding correlation attack is 
explained in Section 5. Experimental correlation attacks conducted by computer 
simulations are reported in Section 6. Conclusions are given in Section 7 and a 
number of tables displaying the statistics of the edit probability are presented 
in the Appendix. 

2 Description of Bilateral Stop/Go Generator 

As shown in Fig. 1, the output of the bilateral stop/go generator (BSG) is 
obtained by bitwise addition (modulo 2) of the output sequences of two binary 
linear feedback shift registers, LFSRi and LFSR 2 , which mutually clock-control 
each other by stop/go clocking (see [3], [4]). It is assumed that LFSRi and LFSR 2 
have primitive feedback polynomials of the same degree L. At each step, the 
output bit is assumed to be produced in the step-then-add manner as follows. 
Let s\ ^ and i = 1,2, denote the contents at step t — 0 of the stages at 

positions L and L — 1, respectively, of LFSRi. From input bits 
and s\_i j, a clock-control function h determines the clock-control bits and 
From four binary inputs a,b,c, and d, h{a,b,c,d) outputs — 1 — if (a, 6) = 
(0, 1), -2— if (c, d) = (0, 1) = (a, b), and —1, 2— otherwise. To get the BSG output 
bit ot at step f, t — 1, we step LFSRi, i = 1,2, or not depending on whether 
c) = 1 or c) = 0, respectively, and then we add modulo 2 the output bits (s| j 
and Si f.) of the shift registers. 




Fig. 1. The bilateral stop/go generator. 



Some theory of the bilateral stop/go generator is exposed in [3]. In a few 
words, the state diagram of the BSG consists of 3 — 1 branched cycles each 

of length T = 5 -2'^^^ — 1. At any cycle state there is at most one branch. Every 









204 



Renato Menicocci and Jovan Dj. Golic 



branch has length 1 and starts with a state having no predecessor. By using L 
such that T is prime, the linear complexity of the sequence produced while the 
generator covers a cycle has a lower bound of the same order of magnitude as T 
(see [3], [4]). 

We assume that the cryptanalyst knows the feedback polynomials of the 
two LFSRs and operates in the known plaintext scenario. The cryptanalyst’s 
objective is then to reconstruct the secret-key-controlled LFSR initial states 
from a known segment of the keystream sequence. 

In the sequel, we denote by A a sequence of symbols ai, 02, . . . and by A" a 
string 01,02, . . . o„ constituted by the first n symbols of A. When A is a binary 
sequence, we denote its first derivative by A = di, 02, . . ., where at = at — at+i, 
— standing for modulo 2 addition. 

Let X — xi,X2, ■ ■ ■ and Y = yi, y2, • • • denote two binary input sequences and 
let C = ci,C2,. . . denote a three- valued clock-control sequence, where Ci — C, 
C = — 1— , —2— —1, 2 — ; Let O = G(X, Y,C) = 01,02,. ■ ■ denote the combination 
sequence produced from X and V by the step-then-add bilateral stop/go clocking 
according to C, where X and V correspond to the regularly clocked LFSRi and 
LFSR2 sequences, respectively. Note that ct determines which register is stepped 
in order to get the BSG output bit at step t. 

We initially have oi = X2 — yi if ci = —1— oi = xi — j/2 if ci = — 2— , 
and oi = X2 — 2/2 if ci = —1,2— Let denote the number of oc- 
currences of the symbol A— i = 1,2, in the string For simplicity, let 

= h and W2{C“^^) ~ l2- The number of occurrences of the symbol 
— 1, 2— in is then s-f-1 — R — ^2- Thus, for any s — 0, Og+i = Xs+2-h — J/s+2-q ■ 

As for the generation of C, according to the BSG scheme from Fig 1, we 
have Cl = h{xL,XL-i,yL,yL-i) and, for s — 0, we can readily write Cs+2 = 

^(^L+s+l — ^2 ; L+S—I2 7 y L+s+l — li , y L+s — l\ )■ 

Gonsequently, for input/output strings of finite length, we have = 

G"+1(A"+2,F"+2,C"+1), with = iL Alternatively, we 

can write yn+i where L = max(2,L) and F repre- 

sents the joint action of G and H . 

3 Edit Probability for Auxiliary Clocking String 

In this section, we adopt a simplified model for the BSG which allows us to 
define and recursively compute a suitable edit probability. The edit probability 
so defined can be used for inferring about the LFSRi initial state from a given 
BSG output segment. 

Gonsider an auxiliary random sequence R = r\,r2,... which is used to re- 
place the input sequence Y in the role of generating the input bits for the clock- 
control function h. The simplified BSG model is as follows. X, Y, and R are in- 
dependent and purely random binary sequences (a sequence of independent uni- 
formly distributed random variables over any finite set is called purely random) . 
The clock-control string is generated as follows. Initially, we have ci = 

h{xL,XL-i,r2,ri) and, for s - 0, Cs+2 = h{xL+s+i-i2,XL+s-i27f2s+4,r2s+3), 




Edit Probability Correlation Attack 205 



where, as above, h = and I 2 = W 2 {C“^^). We represent this by writ- 
ing (7”+^ = The output string is generated as = 

The joint action of G and H is represented by F as 
Qn+I ^ pn+ii^x^+L' ^Y^+2^ where L = max(L, 2). 

Now we can define a suitable random edit transformation and an associated 
edit probability. In the given model, we start by considering the string O" = 
yn +2 j|> 2 n+ 2 ^_ transformation of a given input string 
into a given output string O”, according to a random input string T"+2 and an 
auxiliary random clocking string defines a random edit transformation. 

Let Z” = zi, Z 2 , ■ ■ ■ , Zn denote a given output string. The associated edit 
probability for a given input string and a given output string Z” is the 

probability that is transformed into Z” by a random edit transformation 

according to random y"+2 and Formally, we have 

= Pr-J^”(X”+-^',r"+2,i?2"+2) = (1) 

The statistically optimal edit probability (minimizing the error probability when 
deciding on given Z") is then given as 

Pr-A:”+^',F”(X”+'^',r”+^i^2«+2) ^ ^ p(X”+^';Z") ^r-X”+'^'^(2) 

As Pr-A"+^ — = \ the edit probability (1) is also statistically optimal. 

Our objective is to examine whether the defined edit probability can be 
computed efficiently by a recursive algorithm whoso computational complexity 
is significantly smaller than 0(2^"+^), which corresponds to the computation 
of (1) by the summation of the elementary probability over all y"+2 

and i?2"+2 such that ,Y^+^ , = Z”. To this end, we define the 

partial edit probability depending on the distribution of symbols in the clock- 
control string 

For any 0 — s — n, a pair {li, I 2 ) is said to be permissible if 0 — Zi, ^2 — s + 1 
and +/2 — s + 1- For a given s, the set of all the permissible values of (hjh) is 

denoted by — g. For any 1 — s — n and {I 1 J 2 ) s, the partial edit probability 

is defined as the conditional joint probability 

P{h.M,s) = Pr^* = Z^«;l(G*+l)=ll,u;2(G*+l) = l2W^+^'- (3) 

where 6® = G®(X*+^', W+2, G*+i) and G'^+i = i? 2 s+ 2 )_ fol- 

lowing theorem shows how to compute the edit probability efficiently, on the 
basis of a recursive property of the partial edit probability. 

Theorem 1. For any given and Z”, we have 

P(X"+^';Z”) = ^ P{h,l 2 ,n) (4) 

(^,^ 2 ) n 

where the partial edit probability P{l\,l 2 ,n) is computed recursively by 




206 



Renato Menicocci and Jovan Dj. Golic 



P{h,l2, S) = P{h - 1, h, S - 1)(1 - Zs - ±s+l_i2)(l - XL+s-l2)xL+s-l2~l 
+ ^ -P{h, h-l,S- 1)(1 - (1 - XL+s-l2 + l)xL+s-l2) 

3 

+ g -P{h, h, S - 1)(1 - (1 - XL+s-h)xL+s-l2-l) (5) 

for 1 — s — n and all {h, I 2 ) s, with the initial values P{0, 0, 0) = |(1 — (1 — 

xl)xl-i), P{0, 1,0) = i(l - {1-xl)xl-i) and P(1,0,0) = {1-xl)xl-i- (For 
eaeh 0 — s — n, if {h, I 2 ) is not permissible, then it is assumed that P{h, h, s) = 
0, so that the corresponding terms in (5) are not computed.) 



Proof First observe that (4) is a direct consequence of (3) and (1). 

Assume that s — 2. We partition all clock-control strings into three 

subsets with respect to the value of the last symbol c^+i. For simplicity of nota- 
tion, the conditioning on is removed from the probability (3) and all the 

resulting equations. Then (3) can be put into the form 

F(/i, h,s) = 

Pr^, = Zs-O^-^ = =h~ 1,W2{C^) = h,Cs+i = -1 — 

-Pt^s+1 = = Z^~\wi{C^) = h- 1,W2(C®) = I2- 

= Z®-\wi(C®) = h- 1,W2(C®) = I2- 
+ Pr-A, = Zs-O^-^ = Z®-\u;i(C®) = ;i,u;2(C®) = h - l,c,+i = ^ 2 — 
A^r-c,+i = -2^®-i = Z^~\wi{C^) = h,W2{C^) = h ~ 1- 
Pi-O^-^ = Z®-\u>i(C®) = h,W2{C'^) = l2-l- 
+ Pr-d, = 2 ,T)®-i = Z®^\'a;i(C®) = /i,'o;2(C®) = /2,c,+i = - 1 , 2 — 
Pt^s+1 = -1,2-0®-! = Z®-!,wi(0®) = /i,u;2(0®) = h- 
^rO)®-! = Z®-!,tci(0®) = h,W2{C^) = h-. (6) 



The third factor in each addend of (6) is easily recognized to be the partial 
edit probability, of argument s — 1, appearing in the corresponding addend of 
( 5 ). 

Now, under the condition that u;i(C'®+!) = — 1 and 1112(0®+!) = I2, we 

have Cs+i = h{xL+s-i2,XL+s-i2-i,r2s+2,r2s+i), which produces - 1 -if and only 
if {xL+s~i2,XL+s~i2-i) = ( 0 , 1 ). Moreover, if Cs+i = - 1 -, then Og = Xs+i.-i2- 
Similarly, under the condition that wi( 0 ®+!) = h and z« 2 ( 0 ®+!) = I2, we have 
Cs+i = h{xL+s-i2+i,XL+s-i2,r2s+2,r2s+i), which produces - 2 - if and only if 
{xL+s-h+i,XL+s~i2) = ( 0 , 1 ) and (r2«+2, r2s+i) = ( 0 , 1 ). Moreover, if c^+i = 
— 2 — then dg — 2/s+i_q. Finally, under the condition that rci( 0 ®+!) = h and 
W2(0®+!) = I2, we have c^+i = h{xL+g-i2+i,XL+s-i2,r2s+2,r2s+i), which pro- 
duces - 1 , 2 - if and only if (xL+g-i2,XL+s-i2-i) = ( 0 , 1 ) and (r2s+2, r2s+i) = 
( 0 , 1 ). Moreover, if Cg+i = - 1 , 2 - then = Xg+i-i.^ - y^+i-q. 




Edit Probability Correlation Attack 207 



Consequently, we have (conditioned on ) that 



Pr-c 


s-K = ' 


-1^®-^ 


= Z®”\ 


«U(G®): 


= h 


-l,W 2 [C^ = 


h — 




= (1 


- Xl+ 


8 — I 2 )xl+s 


-I 2-1 










(7) 


Pr-c 


s-K = - 


-2^®“^ 


= Z®-\ 


U^l(G*): 


= h, 


W 2 [C^) = l 2 - 


- 1- 




= (1 


-(1- 


^L-j-s — /2 + I 


-b)-l/4 








(8) 


Pr-c 


s-l-1 = • 


- 1 , 2 ^®“ 


-1 = z®' 




)=> 


h,W 2 [Cn = h 






= (1 


-(1- 


X L-\-S~l 2 )^ L-{-S — l 2 


- 1 ) -3/4. 








(9) 


Eurther, we 


get 
















Pr-ds 


Zs-O'^- 


^ = Z®"^ 


,«;i(G*) 


= ^1-1 


, u>2(G®) = hXs+i 


= -l-^ 




1 




-h 












(10) 


Pr-ds = 




1 = Z®-^ 


,iui(G®) 


= h,W 2 ' 


(G®) 


= I 2 — 1 , Cs+1 


= -2— 




= 1/2 
















(11) 


Pr-ds = 


Zs-O^^ 


1 = Z®“^ 


,wi[Cn 


= h,W 2 l 


[cn 


= I 2 , Cg +1 = - 


-1,2^ 




= 1/2. 
















(12) 


Equation (11) follows 


from Os = 




by taking into account that ys+ 2-1 


'1 re- 



mains to be independent of ys+i-q when conditioned on O® ^ = G® ^(X® , 

y®+\G®), tci(G®) = and te 2 (G®) = ^2 — 1, as this condition involves only 
ys+i-b Equation (12) is proved analogously. 

Equation (5) is obtained from (6) by plugging in the determined probabilities. 

Eor s = 1, the edit probability values are directly obtained from (3). When 
these values are expressed in terms of the unknown initial values by the recur- 
sion (5), a system of linear equations is obtained. The initial values are then 
determined by solving this system. — 

The time and space complexities of the recursive algorithm corresponding 
to Theorem 1 are 0{n^) and O(u^), respectively. Since the edit probability is 
exponentially small in the string length, the following normalization turns out to 
be computationally convenient: Z") = 2”+^P(X”+^'; Z”). It results 

from the right-hand side of (5) and the initial values being multiplied by 2. 

4 False Alarm Probability 

In order to investigate whether a correlation attack based on the proposed edit 
probability can be successful, we develop a statistical hypothesis testing model 
similar to the one introduced in [2]. We start by considering the probability 
distribution of the edit probability P(X"+^ , Z") under the following two prob- 
abilistic hypotheses: 

— Ho [correlated case): and are purely random and independent 

and Z” = F^[X ^+^' (that is, Z” = G”(X”+2, G”+^) and 

(jn+l ^ pj n+1 ^^n+L 

— Hi [independent case): and Z” are purely random and independent. 




208 



Renato Menicocci and Jovan Dj. Golic 



This means that when generating the correlated samples, the third and the 
fourth input bits of the clock-control function h are taken from the input se- 
quence V as in the actual BSG scheme, rather than from an auxiliary random 
sequence. For the correlation attack to work, it is necessary that the separation 
between the probability distributions in the correlated and independent cases 
increases with the string length n, and the faster the increase, the smaller the 
string length required for successful decision making is. Analyzing the separation 
of the two probability distributions seems to be a difficult task from a theoretical 
point of view, but one can measure the separation experimentally. 

We conducted systematic experiments for the normalized edit probability 
and produced histograms of the two distributions for each n = 100, (10), 800 on 
random samples of 1000 pairs , Z") generated according to Ho (for fixed 

L = 100) and Hi, respectively. They show that the separation of interest in- 
creases with the string length n. It thus turns out that, for a sufficiently large n, 
the normalized edit probability is much larger in the correlated than in the inde- 
pendent case. For illustration, Tables 1 and 2 given in the Appendix display the 
observed minimum, maximum, mean, and median values along with the stan- 
dard deviation of the normalized edit probability, for each n = 100, (100), 800, 
for the independent and correlated case, respectively. 

As we deal with a decision making problem, the separation between the 
two distributions is measured by the false alarm probability (derived from the 
distribution under Hi) when the missing event probability (derived from the 
distribution under Hq) is fixed. Since the number of correct input strings is 
only one, reasonable values for the missing event probability seem to be pm = 
0.1 or Pm = 0.05. Therefore, in the statistical hypothesis testing considered, a 
threshold is set according to pm and a tested input string is classified under 
Ho or Hi depending on whether the normalized edit probability is bigger or 
smaller than the fixed threshold. The false alarm probability pf then becomes 
a function of n, and if and only if this function is decreasing, the separation 
between the two distributions increases with n, as desired. The value of n should 
be chosen so as to make pf inversely proportional to the number of incorrect 
input strings. We evaluated thresholds and false alarm probabilities relative to 
the data collected for the above histograms. For illustration. Table 3 given in 
the Appendix displays the estimated threshold, Pth, and false alarm probability, 
Pf, for each n = 100, (100), 800. 

The data collected show that, for each considered pm, the estimated pf de- 
creases with n. Moreover, for large n, pf appears to be following the exponential 
form a 6”, b < 1. As a consequence, the minimum string length n required for 
the expected number of false input string candidates to be reduced to about one 
is linear in the logarithm (to the base two) of the total number of tested input 
strings. The corresponding estimates of the parameters a and b were obtained by 
the least mean square approximation method applied to the logarithms to the 
base two of the false alarm probability estimates for n = 100, (10), 800 and are 
presented in Table 4 given in the Appendix. The parameters a and b were esti- 
mated on the first 10, 20, and 25 points for pm = 0.1 and Pm = 0.05. The most 




Edit Probability Correlation Attack 209 



reliable estimates were obtained for the first 10 points. To be on the conservative 
side, the false alarm probabilities pj ^(n) and can be approximated for 

large n by 

p^in) - 0.542 -0.986”, - 0.520 -0.990". (13) 

5 Correlation Attack 

In this section, we propose a correlation attack on the BSG based on the prop- 
erties of the introduced edit probability. It is assumed that the LFSR feedback 
polynomials and a sufficiently long segment of the BSG output sequence are 
known to the cryptanalyst. The attack consists of two phases. The goal of the 
first phase is to recover the initial state of LFSRi by using the (normalized) edit 
probability defined in Section 3. Suppose a number of candidates for the LFSRi 
initial state is obtained in this way. Then, in the second phase, the correct initial 
states of LFSRi and LFSR 2 are reconstructed. The solution is very likely to be 
unique as the equivalent initial states, producing the same output sequence, are 
unlikely to exist. 

We first produce n bits of the first binary derivative, Z", of the first n + 1 
successive bits of the known BSG output sequence. The string Z" comes from 
the (unknown) output strings of the regularly clocked LFSRi and LFSR 2 of 
maximum possible length n + L (the actual lengths are random and depend 
on the unknown LFSR initial states). In the correlation attack on LFSRi, for 
any possible LFSRi initial state, by using its linear recursion, we first generate 
n + L output bits which constitute the input string . Then, we compute 

the normalized edit probability F(X"+'^ , Z") by the recursive algorithm derived 
in Section 3. This is repeated for the 2-^ — 1 possible initial states of LFSRi (the 
all zero state is excluded). Roughly speaking, the candidates for the correct 
LFSRi initial state are obtained as the ones with the computed normalized edit 
probability close to being maximal. More precisely, a threshold is set according 
to the missing event probability (for the correct hypothesis Hq) which is fixed to 
a value which need not be very small (e.g., Pm = 0.1 or pm = 0.05). Then, every 
possible initial state is classified as a candidate if the corresponding normalized 
edit probability is not less than the threshold. This threshold can be obtained 
experimentally, as described in Section 4. 

Ideally, for n sufficiently large, there should remain only one candidate for the 
initial state of LFSRi. This can happen if and only if the false alarm probability 
(for the alternative hypothesis Hi) Pf{n) defined in Section 4 is sufficiently 
small. Namely, since the expected number of false candidates for an average 
Z” is {2^ — l)pf{n), the correlation attack would be successful if and only if, 
approximately, 

2^Pf{n) - 1. (14) 

If Pf{n) has the exponential form a 6", where 6 < 1, then (14) reduces to 

L + log2 a 

- log2 b 



n 



(15) 




210 Renato Menicocci and Jovan Dj. Golic 

which means that the required output segment length is linear in the length of 
LFSRi- By (13), the required output segment length is then estimated as 



n - 49.2 L- 43.4 (16) 

n-69.0L-65.1 (17) 



for Pm = 0.1 and pm = 0.05, respeetively. 

Aeeordingly, we should obtain a relatively small number of eandidate initial 
states for LFSRi in time These candidate initial states are then 

ranked in order of decreasing normalized edit probabilities. The candidate states 
are tested in the seeond phase of the attack, according to decreasing normalized 
edit probabilities. Namely, each candidate state is associated with each of the 
2-^ — 1 possible initial states for LFSR 2 . Each resulting LFSR state pair is then 
used to initialize the state of the BSG under attaek. The corresponding out- 
put sequenee is finally compared with the given BSG output sequence. All the 
solutions for the LFSR initial states are thus found in time 0(2^). 

6 Experimental Results 

The attaek described in the previous section was tested on short LFSRs by 
computer simulations, which verified that the attack can work in practice. 

Some results of our experiments are shown in Table 5. In each experiment 
we used primitive LFSRs of the same length L. For L = 14, 15, and 16, the 
needed BSG output string length, u + 1, was first estimated by (16). The ex- 
periments were also repeated by halving this string length. The good results 
(and time reduction) obtained for L = 14, 15, and 16 when moving from n to 
n/2 motivated the choice of using n = 500(400) instead of n = 800(400), for 
L = 17. The thresholds for the normalized edit probability were obtained from 
the data collected for n = 100, (10), 800 (see Table 3 for n = 100, (100), 800). 
For n = 325, 375, we used interpolation. 

We counted the number of LFSRi states giving rise to a normalized edit 
probability not smaller than the given threshold {candidates) . For every candi- 
date initial state for LFSRi we searched for a companion initial state for LFSR 2 
and counted the joint solutions {solutions). Table 5 shows that a unique joint 
solution was always found. Finally, we determined the position of the LFSRi 
component of this solution in the list of LFSRi initial state candidates ranked 
in order of decreasing normalized edit probabilities {rank). 

As for the LFSRi initial state candidates, we found that a candidate is very 
likely obtainable from the correct LFSRi initial state by a small positive or 
negative phase shift. 

7 Conclusions 



It is pointed out that the stop/go clocking in the bilateral stop/go keystream 
generator can be viewed as a random edit transformation of an input string into 




Edit Probability Correlation Attack 211 



one output binary string. The input string corresponds to the output sequence 
of LFSRi when regularly clocked and the output string corresponds to the first 
binary derivative of the keystream sequence. The output sequence of LFSR2 
and an auxiliary binary clock-control string are assumed to be independent and 
purely random. The related edit probability is then defined and a recursive 
algorithm for its computation is derived. 

It is shown how the edit probability can be used to mount a correlation 
attack on LFSRi. For the underlying statistical hypothesis testing problem, the 
false alarm probability is estimated by computer simulations. According to the 
experiments conducted, the minimum output sequence length required to be 
known for a successful attack is linear in the length, L, of the LFSRs. The time 
complexity of the attack is estimated as 0(2^+^ Successful experimental 
correlation attacks performed on relatively short shift registers demonstrate the 
effectiveness of the developed methodology. 



References 



1 . D. Gollmann and W. G. Chambers, ’’Clock-controlled shift registers: A review,” 
IEEE Journal on Selected Areas in Communications , vol. 7, pp. 525-533, May 1989. 

2. J. Dj. Golic and R. Menicocci, ’’Edit probability correlation attack on the alternating 
step generator,” Sequences and Their Applications - SETA ’98, Discrete Mathemat- 
ics and Theoretical Computer Sciences, C. Ding, T. Helleseth, and H. Niederreiter 
eds.. Springer- Verlag, pp. 213-227, 1999. 

3. K. Zeng, C. H. Yang, and T. R. N. Rao, ’’Large primes in stream- cipher cryp- 
tography,” Advances in Cryptology - AUSCRYPT ’90, Lecture Notes in Computer 
Science, vol. 453, J. Seberry and J. Pieprzyk eds.. Springer- Verlag, pp. 194-205, 
1990. 

4. K. Zeng, C. H. Yang, D. Y. Wey, and T. R. N. Rao, ’’Pseudorandom bit generators 
in stream-cipher cryptography,” IEEE Computer , vol. 24, no. 2, pp. 8-17, Feb. 1991. 



Appendix 



Table 1. Statistics of P on 1000 independent pairs , Z"). 


n 


Min 


Max 


Mean 


Median 


Std Dev 


100 


6.341E-9 


3.339E2 


2.314E0 


1.43E-1 


1.294E1 


200 


4.307E-15 


3.952E2 


2.121E0 


1.597E-2 


1.69E1 


300 


4.279E-15 


2.774E2 


1.632E0 


2.674E-3 


1.347E1 


400 


2.669E-14 


6.531E2 


1.2E0 


4.36E-4 


2.168E1 


500 


2.246E-14 


7.893E1 


2.456E-1 


1.13E-4 


2.82E0 


600 


6.1E-20 


3.019E2 


4.643E-1 


2.023E-5 


9.68E0 


700 


3.915E-18 


1.598E4 


1.613E1 


3.771E-6 


5.055E2 


800 


5.145E-19 


7.301E1 


1.669E-1 


7.699E-7 


2.848E0 





212 



Renato Menicocci and Jovan Dj. Golic 



Table 2. Statistics of P on 1000 correlated pairs ,Z"). 


n 


Min 


Max 


Mean 


Median 


Std Dev 


100 


7.637E-2 


7.097E3 


1.097E2 


2.486E1 


4.006E2 


200 


8.051E-2 


1.703E6 


6.538E3 


2.033E2 


7.162E4 


300 


5.31E-2 


3.59E7 


1.269E5 


1.863E3 


1.62E6 


400 


3E-1 


2.658E8 


1.759E6 


1.056E4 


1.438E7 


500 


3.053E0 


7.872E10 


1.213E8 


1.108E5 


2.573E9 


600 


8.349E-1 


3.3E12 


6.27E9 


6.357E5 


1.222E11 


700 


4.942E1 


2.123E12 


4.933E9 


5.135E6 


7.462E10 


800 


3.484E0 


1.987E13 


7.507E10 


2.374E7 


8.822E11 



Table 3. Estimation of thresholds and 
false alarm probabilities. 


n 


50. 1 
^th 


50.05 

^th 


„ 0.1 

Pf 


„ 0.05 

Pf 


100 


3.122E0 


1.893E0 


1.22E-1 


1.67E-1 


200 


1.214E1 


5.655E0 


2.7E-2 


4.8E-2 


300 


4.138E1 


1.687E1 


l.lE-2 


1.9E-2 


400 


1.808E2 


5.709E1 


lE-3 


3E-3 


500 


7.413E2 


2.822E2 


0 


0 


600 


7.164E3 


1.505E3 


0 


0 


700 


2.172E4 


3.835E3 


0 


lE-3 


800 


7.587E4 


1.891E4 


0 


0 



Table 4. Estimation of 


a and b on 


10 , 20 , and 25 


points. 


Pm 


a 


a 


a 


b 


6 


b 


0.1 


.542 


.585 


.551 


.986 


.986 


.986 


0.05 


.520 


.736 


.731 


.990 


.987 


.987 



Table 5. Experimental results. 


L 


n 


threshold 


candidates 


solutions 


rank 


14 


650(325) 


11290(75) 


20(51) 


1(1) 


1(1) 


15 


700(350) 


21720(109) 


8(72) 


1(1) 


1(5) 


16 


750(375) 


46070(145) 


30(171) 


1(1) 


1(1) 


17 


500(400) 


741(180) 


35(139) 


1(1) 


26(29) 






























































Look-Up Table Based Large Finite Field 
Multiplication in Memory Constrained 
Cryptosystems 
(Extended Abstract) 



n 

n 1 n 



Abstract, n Ilk 

1 1 n n n 

n n n 

n 

1 n 



n 1 

n n Ik 1 

1 n 

n n 



Inn 11 1 

n n n n n 



In n n 
n 



1 Introduction 



1 1 1 

mil a 

g b m 

1 m 

1 m m 

1 



1 m "mil 

b ” 1 m 

a b 

m 1 1 

1 11 
1 m m 1 m 
m 1 



m 1 1 

1 

m 



1 



m 1 1 

1 



1 m 
m 



1 

m 1 m 
m 



m 



m m 

m 1 m 



1 

m 



m 



1 1 m 



1 m 1 
111 m 

1 1 

1 



1ml 1 

"mil 1 

mil 1 m 

1 1 

11 1 m m 



m 



n/g 
m 1 

1 



1 

m 

1 1 

m 



1 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 213-221, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




n 



2 Preliminaries 

2.1 Field Element Representation 



1 



n n 



1 m 



1 



1 



m 1 



n 

m 



1 m 



1 ml 
a 1 m 



A X ^ an~2X^ ^ 



a\x ao- 



1 1 m 



polynomial 



standard basis 

1 m 1 



m m 1 m 



t.e. p 



1 m 








n 




m 1 




1 






X 






a b 


n 
















n—1 








a 


b 


Ax B X 


Oi b, 
















i=0 














m 1 1 




m 


1 










m m 


m 1 


m 


1 


1 


A 


X 




B X 


m 


P 










a b 












p 


A 


P X A X B 


X m F X 


F 


X 




1 




m 


1 


n 








1 


1 


m 


F X 








11 








m 








F X 






u 








1 




1 


_ 


_ 


F X ] 



m 1 
1 1 m 



1 1ml 



fix 

ml 

m m m 1 m 1 m 1 1 

ml 1 trinomials 1 

1 mil 

ml 1 m F X 1 

all-one 1 m 1 equally-spaced 1 m 1 



m 



2.2 Bit-Level Multiplication Algorithm & Its Complexity 

F X 11ml 

a b p Im " p a -b 

1 




k 



n 



1 



1 1 



n 



P X A X B X m F X 

A X (pn-ix^^^ b\x 6o( m F x 

A X bn-\x A X bn ~2 X X A X b\ X A x bo m F x 

A X bn-ix m F X Ax bn -2 x m F x 

X m F X A X b\ X m F x A x bo- 

1 m 1 1 Ax X 

B X m F X 

m 1 m 11 

Algorithm 1 11m "11 

A X B X F X 
P X A X B X m F X 

Step 1.1 bn-i P X Ax 

1 P X 

Step 1.2 in— — 

P X xP x m F X 
bi P X P X Ax 



1 P X 

a -b 1 

1 

P x xP X m F X 
P X xP X 

xP X m 

X 1 1 

1 ml 



1 m 1 



1 1 



n — m 



F X m 



P X xP X m F X 
m 1 1 m 1ml 

P X P X Ax 

m In— 1 ml 

1 ml TpQly_add 

mil m 



^ multi^in^G F {2'^ 



n — — T, 



poly ^add • 



1 1 
11 



1 1 1 



3 Group-Level Look-Up Table Based Multiplication 



n 

n m 1 1 g( 

n m g 

^ nl k 

1 n n n 



B X s 

m 



g n k 

Inn 1 



m 

11 

g 1 w 




n 



B X X X*-® ^^^Bs -2 X x^ Bi X Bq x 



1 ( hig+jX^ - i - s- 

J i=o 
Bi X I 

(" ff)-i 

f ^ ^ 

j=0 



P X A X B X m F X m F x 

A X X x(®-2)s5^_2 X Bo x ( 

m F X 

A X Bs~i xm F X x®m F x 

A X Bs -2 xm F X x®m F x 

A X Bi X m F X x®m F x 
A X Bo X m F X . 

11 11m 1 m 

” m 1 1 

Algorithm 2 1 " 1 1 

A X B X F X 
P X A X B X m F X 

Step 2.1 P X Bs-i X A X m F x 
Step 2.2 k s — — 

P X x^P X m F X 

P X P X Bk X A X m F X 

1 

1 m 1 

s — m 

n — 

11 

Px X® ( x^ ( r=l_g/’ix'm Fx - 

( ( ( M ( 

n — g P X 

P X 




Xi 5 1 1 

m 1 m X 2 



1 

9 m 



11 








k 


1 






n 


1 11 n 








F X 




F X 








1 








m 




m 






1 


m 






1 






m 






1 








M 


m 


1 1 








X 


a / n~l j 

® ( ^=n~gP^^ m 


F 


X 


1 




m 








1 


1 














p 


X 


P X 


Bk X A X m 


F X 




1 
























^3 


Bk X 


A 


X m 


F X . 






9 




Bk X 


A X 1 




1 


m 


1 


— n — g — 










^n-g -2 ^ 


xn-g- 


-3 


i 


x” Bk 


X A X 


1 




m 1 








1 


1 


a 


m X3 






1 


m 


m 


1 






1 




T 




n >> g 


1 


m 






1 


1 


Bk X A X m 


F 


X 


11 


1 Bk 


X 






1 


1 


n ® 






1 




M 1 




1 






fl 




m 


A X 






m 








m 






1 


1 


1 






1 


1 m 






1 


m 






1 
















M 


T 


1 


1 


m 






1 e {1 


-1 i 










g _ 


1 






e 




M T 


1 














M 


e e. 


g-ix^~^ e. 


g- 2 X^~ 


-2 


— 


eo x” 


m F X , 






T 


e e, 


g-ix^~^ e. 


j- 2 'X^ 


-2 


— 


cq A X 


m F X , 






1 






11 




1 


m 








Ps-l X ^ 


( Lo Pn-g+i^" 
















Algorithm 3 


1 








1 


1 1 






A X 


B X 


F X 


M 




1 










P 


X A 


x B x m 


F X 














Step 3.1 




1 T 
















Step 3.2 P X 


T Bs-i X 
















Step 3.3 


k 


s — 


- 
















Xi 




PiX'^ 
















X 2 


M Ps~i X 


















Xi 


T Bk X 


















P X 


Xl X 2 


Xs 














1 


m 


m 


n 






m T M 


1 




s s — 




1 1 


m 




s — 


1 m 1 






s— — - 

w 






Xl 




s — 


n 

w 








1 










1 


s — 






s — 












m 


T Bi X 


i 




s- , ; 






11 
















n 



4 Table Generation Algorithms 



1 m T 1 

m m m 11m 1 

mil 1 m 11 1 1 

M 1 1 



Bkx IT 9 

Te e X —A X vci F x 



A / 0 — 1 i 

ex [ i=o ^ 

Bk X A X m F X 

Bk X 

1 11 g 



j' ff-i 



1 

ff-i 

( bkg+j F 

j=0 



base 

T ^ x^A X m F X 



T 



1 m 1 T T T 2 
m j 



J 

m mm 

1 



T xT ^ m F X . 

m 



A X 

m m 

“ 19- (^( 



1 ml 

m mm m 

9- 9- (^( 



T 



Lemma 1. 


Ax - 11 


m 1 


n — 




m regular 


1 1 


m 


1 


m 


1 





T 



1 



m 



m 



9 



1 



4.1 Entry Computation on 


Demand 




s < s 1 


1 


1 


m 


11 


1 


m 






11 1 m 






Algorithm 4 1 


m 


m 


e 


T \i , 


, — ? 5 - 


e T e 







m 




1 1 1 



step 4.1 eo tmp 

1 tmp T 

Step 4.2 g — — 

Ci tmp tmp T 



Step 4.3 T e tmp 



m 



1 m 1 



mm 



g- / 1 ml 



— i — s — 



m 



Corollary 2. 

1 m 



1 m 

11 



< 7-1 g _ 



1 m 

e 1 m 

m T Bi X 

s g — / 1 ml 

T 11 



1 

11 1 
1 ml 



T 1 



4.2 Entry Computation in Window Sequence 



1 



■g- 



W2, 

i i 

Lemma 3. 



s - 9 

1 

, T * 

W, 

T ^ j T * Tj 



1 

11 



Wi -i-g- 
— T * 



- J - - 



m 1 



W, - j 

- j - * 

m 1 

Wi 

1 

Algorithm 5 m 1 

T \i , , — i g- 

11 1 T 

i g- - 

j - 

T ^ j T * Tj 



m Wi 

m 

m 



1 1 m 

i.e. 
m 
m 

m 



J' 3 

W, 

11 

1 




n 



1ml i m 

* - Wi 11 

.9 - 

1_ 2 _ S-l _ g-l_ _g 

1 m 1 



5 Conclusions 



s/ ® m 

1 

m 1 m 

1 

m 1 



"ml 1 
s n 

1 

1 9 

11 

9 

1 1 



1 m 



m 



m 1 

9 

w 

m n 

m 

1 m 



1 



Acknowledgment 



m 

1 



1 1 



m 

1 

1 

1 



1 m 

1 1 

1 m 
m 



References 





VLSI Architectures for 


Computations 


in 


Galois Fields 


1 


n nk" 


n n 


nk" n 




n 


n 


n 


1 


1 11 


n 


1 IEEE Trans. 


Computers 












n 






11 1 11 




1 1 


Inform, and Comp. 


1 








n 


n n 






1 


n n 1 


1 


11 1 11 


1 


n 1 




"" IEEE Trans. 


Comput. 1 


n n 


n n 


1 k 




11 


kin n 


Advances in Cryptology- EUROCRYPT ’92, Lecture Notes in Com- 


puter Science 




n 1 








n 


1 n 


n 




n 


n 11 




Inn 




n 


n 


" n Advances 



in Cryptology- ASIACRYPT ’96, Lecture Notes in Computer Science 



n 




k 1 n 1 1 1 n 

n n 1 1 n n Design, Codes and 

Cryptography 1 

n n 1 11 

n Advances in Cryptology- CRYPTO ’97, Lecture Notes in Computer Science 
n 1 

11 1 n 1 11 

1 n 1 IEEE Trans. Computers 1 

n 11 n 

n Standards for Efficient Cryptography Group 




On the Combined Fermat /Lucas Probable 

Prime Test* 



1 1 y 



1 

siguna . muellerOuni-klu . ac . at 



Abstract. 



i 

i X 



iiy 



ly 

V 



11 



1 



X 



11 illi 

i li y i 

ly i 1 i 

i i i 

1 i 

ly lyi 

i i i 



1 X 

i ly 1 y 

1 i i 



ly i 1 
ill i 

u 

i 

i i 1 i 

y 1 



li 



1 Motivation and Background 



1.1 Pseudoprimality Testing Based on the Power Function 











n n 


n n 




n— 1 2 




n 


n 


n — 




n 


n 




n 


n 




n 


n n 




n n 


n 




n n 


n 


n 




Strong Probable Prime 


Test 


1 




n 


n 


n n 


n 






spsp 








n 2 p 




n n 




n 


2 


n 






n 


n 


n 


n n 


n 


n 




n 




n 


n 






n 






n 




n 






n n 


n 






n 




n n 1 






n 






n 




n 


n — 


n n 










00 


n 




n n 


n 








* 




y 


i 


i 


i 




11 




j 







M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 222-235, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




1 



1 i 



1.2 Pseudoprimality Testing Based on the Lucas Sequences 



n n n — 

n 

n n n n 

m+l m — 1 0 

0 n 1 n 

n 

^ D — 0 



n n n 

n 



n 



n 



n n 

n 

m m — 1 

0 1 1 

n n 
— n 

n In 

n n n 

n 



Lpsp 



n n n n 9 1 

n n 

1 n 

n n n 

n n 



Definition 1 Let he the Lucas sequence of the first kind and let 

be any integer. The rank of appearance modulo ( or simply ) 

is the smallest integer , if it exists, such that i — 0 



n 

n 



1 n 



n n 



D I 





n 




n 


n 


n n 




2^d — 0 


1 


n n n 11 




n sLpsp 


Lemma 1 


Let be a positive, 


a sLpsp 


if and only if it 



(f( 



(f( 



is a constant 



value for all prime factors of . 

sLpsp n n 
n 11 



1.3 Combined Tests 



n n 

n n n 



n n 

n n 

n n n 

n n 
n 

n 




1 



■11 



n 10 



n 



n — 1 
n 

n 10 n 

n n n 



n Z 
n 



n 

n 10^^ n 
n 



n n n 



1.4 The Main Goal of This Paper 

n types 



n n n 

n n n 

n 
n 



n 

n 



n 



n 



— Efficient and easy to implement algorithms 

n n n n n n n 

n n n n n 

n n n n n 

n fc 1 

n n 

n 

n n 

— High confidentiality 



n 



n 



n n 



1 



nn 



n n 



n 

n n 

n n 

In n 



n 



• n 



n n — 

n n n n n 

n-{D/n) on 0 H H 

n strong 

0 n 

n n 0 n n 

n 

An exact formula for the number of liars n 

n n n n 

n 

n n n 



n 




1 i 



n n 



1.5 The Proposed Test and the Main Results 



n n 

1 spsp 0 

n i 



n n 

0 n 

( Pj-^tQo ( _i 
n 

n n n 

n n 
nn 



sLpsp i 0 



n n n 



n n n n 

n n 

0 

n 



n 

n 



n n 

n 



2 Some Preliminaries 

2.1 The Rank of Appearance of the Lucas Sequence 

n n 



n n 



In n 

1 19 

I k 



(_( 



n n ' — ' 1 



1 k 



n 

1 n 
n 



1 



2.2 The Number of Parameters with the Same Rank of Appearance 



n —Wj 

n 

0 n 



n — Z 

n 



2 



— 0 



Definition 2 Let o ~ 

— . The function o 

modulo for which 



1 1—be fixed, and 1 be any divisor of 

is defined to be the number of distinct values of 
0 




1 



u 



Remark 1 Note that 
and I — if 



0 counts the values of with both ( ( 



n 1 



Proposition 1 Let — and suppose is a divisor of — where 1 — 1— 

1- If -1 then 0 



2. If 1 then 



0 



if 2 2 

0 otherwise. 

if 2 2 

otherwise. 



3 The Number of P That Pass the Lucas Test for a Fixed 

Q = Qo 



Proposition 2 For 


any 


odd prime 


and any positive integers 


and the 


following is true. 












k — 0 




iff 2-fc 


- 0 


for every — 0 




if either k 


or 


k — 0 




then 2 k — 0 




2k — 0 




“ iff either 


k 


or k - 0 


a 


Proof. 




n 




n n 


n 


n n n 


2k 


k 


k 


n 


nn 


n 




k 


n k 




□ 


n n 




n 






n fc n 


n n 


n 


19 


( P^-4.Q( 
p 







Theorem 1 Let be an odd prime, positive integers, 1, and — 

— 1 1— a constant. For a fixed value of o> o 1; the number of distinct 



numbers 
following way. 



1. For (^( 



2. for ( ^ ( 



with 



( D(P) ( 



( (k,p-e) 

— 1 as ^ 

0 



(k,p-e) 



1 as 



1 



- - 1 



and k 

when 2 — 

otherwise, 
when 2 
otherwise. 



0 



is given in the 



Proof. 



- 0 



k 



n 



0 



n 



0 




1 



1 i 



n n 

0 




1 (^( -1 n 



— Zp 

1 n 
n 



n 



0 I - n 

n n 



n 



d-{k,p — e) 
U2(d) = i/2(p-€) 



(k,p-e) 
u 2^ 



(k,p~e) 
u 2^ 



n 




1 



d-(k,p — e) 
i/2(rf)<i'2(p — e) 
d>l 



( 0 

d-(fc,p — e) 
i/2(d) = ^2(P-e) 



n 2-2 



( - ( 

d-(k,p — e) d-(k,p — e) 

d>l u2(d) = i^2(P — ^) 



- 1 



n 



2 



( 

d-{k ,p — c) 

i/2(d)<t'2(P-^) 

d>l 



( 

d-(;k ,p— c) 
d>l 



n 



n 



n 

I k n 

k 0 — 0 



kVk(P,Qo)~PUk(P,Qo) 

P^-iQo 

0 I n 

k 0 — 0 



k 0 
0 - 0 

I k nn 

n 

□ 



Theorem 2 Under the hypotheses of Theorem 1, the number of parameters 
with k 0 ^ 0 “ for a fixed q is, 



when ( ^ 



- 1 given as 



P-e 

2 



when ( ^ ( 1 qv 



given as 



for 2 1 2 - 

otherwise 

for 2 1 2 - 

otherwise. 




1 



u 



Proof. 



a 



n 



n 



0 

2 



2 

1 



n n n 

n k 0 - 0 

2 - n 

n 

1 




a 



n 



— 2 — 



{2k,p—e) 

0-0 n 



2k 0 




- 0 

-1 



(2k,p — e) 

2 



2 



(k,p-€) 

2 

n 



nn 



□ 



4 The Proposed Strong Fermat/Strong Lucas 
Combination 

4.1 Some Fundamentals 



Q\ 



spsp 



Epsp 



{n-{D/n))/2 

1 — 1 n 

n n n n 



n n n 

- 0 



(n-(_D/n))/2 



^ - 0 ( 



- 0 



ELpsp 



1 

n 



n ELpsp 
sLpsp 






Q| 



4.2 Description of the Proposed Test 

The test for one 



1 0 - 

n n Epsp 0 n 

— Zn — 0 

ELpsp 0 n+l ( 



Qo I 

n 

n 



-1 



■- on 
n n n 



(im( _i 



n 



n spsp 0 II sLpsp 0 

n n n n 

In the following, we will keep o fixed 



and check condition 4 for different choices of 
n 

i n 

n n n .• 



n sLpsp i 0 

n n 

n n 



n 




1 



1 i 



5 Fundamental Properties of the Proposed Test 



n n 
n 



'D , 






Theorem 3 Let the odd integer he a spsp o for (^( —1 Then a neees- 

sary condition that „-e(„) o — 0 is fulfilled for at least one integer 

2 

— 0 , is that for all prime divisors of 



Proof. 



^-l 



0 



1 



n n 2-1 
1 

( Qo( 



P 



n 



1 if (^( 1 

i/(^( -1 



.2a ( 1 n 

P 



'r-<rr) 0 “ 0 

2 

n n 



n 



n spsp 0 

n 



n n 
1 n 

n Epsp 

nn n 2-I 2 n 0 

2 p 0 

n (^( 1 2 p 0 2-1 

2-1-1 -1 n 



n 



n n 



2—1 2 p 0 

2-1 -In 



spsp 0 n 

n ( 2 a( _i 

p 

2-1 2-11 n 



n 



-1 



2-1 1 
1 



n 



2 — 



1 

1 n 



-1 



1 



□ 



Corollary 1 If is a spsp 0 .for —1 then, a necessary condition 

that there exists an integer — 0 such that (- 222 ( _i and «+! 0 — 0 

n 2 

is that, for every prime dividing , 



— if { — { 1 then I 2 1 2 — 1 and 2 — 1 

(■ 



- 1 




1 



u 



- z/ ( 2o ( 

J p 



Proof. 



— 1 then 



-1 

1 2 



1 and 2 — 1 



- 1 



□ 



6 The Number of Parameters That Pass the Proposed 
Test 



6.1 Some Technical Prerequisites 

Lemma 2 If is a sLpsp such that ( ^ ( 

2 ( — (-^(( for all prime divisors of . 

Proof. n n ELpsp 2 — 

sLpsp 2 



- 1 then 2 



□ 



Lemma 3 A necessary condition for an odd composite number to simulta- 
neously pass a psp 0 - ond a Lpsp o - tost with —1 is that 



n 0 

Proof. 
n n 



n—l 



0 



1 



n n 0 I - 

In n n „ o 

non on n 



• 1 n 



□ 



6.2 The Main Results 



n n 



Proposition 3 Let 

such that ( ^ ( 



1. For (^< 



2. for ( — ( 1 



Proof. 



T as 



as 



n n 

n n n 

In n psp 0 

be a psp 0 • Then the number of — Zpo 

0 — 0 “is given as follows. 

when 2 



p n 

and k 



d-(fc,p-e(p)) 
U2{d) = U2{p- e.{v)) 
{d,ordr^{Qo)) = 2 



— 2 — 



0 



(< 



d-(fc,p — e(p)) 

iy2(d)<L'2(P-^(p)) 
(d,ordn(Qo)) = 2 

d-(fc,p-e(p)) 
(d,ord^(Q 0 )) = 2 



when 2 
otherwise 



n n 



n n 



n 0 



□ 



Theorem 4 If is a spsp o for (^( —1 and ( pn 

number of — Zp» such that {lL^AQo.{ _i and n+i o — 0 “is 




1 



1 i 



— when 



( Qo ( _l giygfi as ^ 

( (n+i^ /or 



for 2 1 

0 otherwise 



— when I ^ I 1 given as 



2 1 
otherwise. 



Proof. 



n+l 0 



1 n 

- 0 



n n 

n+l 0 “0 



n 

n 

n n 



Qo f 

p 

2 1 



n+l 



2 1 
0 -0 



d-(n+l,p+l) 

U2(d) = i'2(P+l) 

(d,OTdry(Qo)) = 2 



n 

n n 



n 



n 0 



n I 
n n 



Qo ( I 

p 



1 n I „ 0 

(n+l,p+l) 

2 

n 



n 2 

2 1 2—1 

2 1 2 



1 



2 — 1 

2 

n 



1 

1 - 2-1 

n 



n 

- 1 

1 n 
n 



d-(71+l,p-l) 

(d,ordry(Qo)) = 2 



d-i2^,p-l) 
(d,ord-n{QQ)) = 2 



1 - 1 - 1 



n 

n+l 

2 



n n n 
- 1 1 



1 - 1 



□ 



Theorem 5 Suppose that a composite number fulfills for all prime divisors 
the following conditions 



1 



~ ^ ^ ^ 1 '2 1 

V’ 

— if { — { —1 then 

j n 



— 1 and 2 — 1 



1 and 2 — 1 



- 1 



- 1 




1 



u 



Let 7 1 respectively 0, according as — 1 or modulo . Then the number of 

parameters that pass the proposed test of section f.2 is given as 

/I 

( - 1 -1 - ( - 1 1-7 

p -n p -n 

Qfl. =1 £n. 

P P 

Otherwise does not pass the proposed test for any of the parameters 



6.3 Some Special Cases 



n spsp 

n n 

n 



Lemma 4 Let 



i=l * 



. Suppose that for some there exists a 
parameter i with | i such that is a psp i . A necessary condition 

for to be a Lpsp for — and (^( —1, is that (^( —1. 



Proof. 



Ri 

' Pi 



i-1 n 



Pi-1 



Pi-1 

2 



□ 



Corollary 2 A necessary condition for a Carmichael number ( i to be 
a Lpsp with — and (-^( —1 is that / and (^( —1 for all i 

n 

Lemma 5 Let ( i be a spsp to a set of bases. Suppose that for every 
there is an i — with i\ pi i where i denotes the odd part of i — 1. 
Let ^ — such that (-^( —1 and — 0. If \ or (^( 1 for some 

then cannot he a sLpsp 

n 

Corollary 3 Suppose that for all primes i dividing (at least) one of the 
following conditions holds: 

- i | -1 i 

-(|f( - 1 . 




1 



1 i 



Then, can pass the proposed test of section 4-2, only if, for all i 

(^( ( ( _i 

i i 

2 1 2 1 and 2-1 2-1 

In this case the number of that pass the test equals 

1 * 1 
-7 

Pi TL 

where 7 is defined in Theorem 5. 

Remark 2 (i) If has prime factors, then with probability ^ the base 0 is 
a nonresidue for all the i. Since the spsp test is extremely fast, it can very 
efficiently be run for variations of 0 As a second step, now Corollary 3 
asserts that the combination with the Lucas test as described in section 4-2 
is highly reliable. 

(a) It is known (cf. [3]) that if a composite integer is a spsp w.r.t. all possible 
bases, then is either of the form 1 1 , or is a 

Carmichael number with three factors that are — The first from 

can easily be checked for compositeness, since 1 1 implies 

that 1 is a perfect square. For numbers of the second form, no efficient 
algorithms are known. However, in this case Corollary 3 asserts that the 
proposed test is very effective. In particular, since i — 1 | — 1 the number 

of liars obviously will be very small. 



6.4 Some Numerical Examples 

1 spsp n 0 

n spsp 

0 n 



- 10^3 



n 1 n n 

n 

n n 



n n 



Distribution of all composites — 10^3, 

the proposed test for 0 


that pass 


n 


n n 


n 


1 


9 




n 




n 




n 




n 




9 


1 


0 




9 


1 


0 1 




1 0 


1 


0 1 


10 


0 


1 


0 09 




0 

0 




0 





i 


■'ll 














spsp 




n 












n 


n n 


spsp 




n n 




n 


n 
















n 






spsp 


- 






n 


n 




n 




n 




- 100 




n 


n n 




n 










n 0 


n n 










n 






n 


n 






n ' 


( Qo ( 

n ^ 


-1 


n 


1 90 


911 


0919 1 1 1 


n 


19 


0 9 


0 


1 9 


9 0 


11 1 09 


1 0 0 9 1 




n 


n 


10 


1 


9 0 1 


9 9 1 


9 0 1 




n 








n 




n n 


1 


n 








spsp 




- 00 1 




n 








n on 


n 














Acknowledgement 






















n 






n 


n 




n n 


n 











References 










1 


1 ill 


i li y 


i 


i i 


64 










illi 






i 


35 


1 i 




i y i y 


y 


y 


y i 


i 


i 






i 1 








y 1 i 




1 


1 










1 i i 


i 


y 


72 










ill 


i 


il i 


i 


i 1 i 




7 












i 


1 


61 


1 




i i 




3 


i 1 'll 




1 




i i 


i 


1 












1 i 


lli 


11 


y 


i 


225 






■'ll 




i 




i i 1 


1 


i 




■11 


i i 


1 1 


10 








■'ll 


i 1 






lli 11 




y 


i 225 












i 








1 i 






■'ll 














i 




i 


th 


i 1 






i 


i 




i 


li i 


















■'ll 


1 


i 


i 




i li y i 




i 




i 


y 1 y 












i 


i 


1 


li 


i 1 






i 






i 




i 1 






15 




61 




i 












li 


1 




1 


1 i 


i 


ly 


i 1 




i 


i 


1 


i 


U 




i 


i 




1 1 


6 




i i 




i 








li 


i 






d 


i 








ili 






li i 


i 


i 




1 


1 










On the Cryptanalysis of Nonlinear Sequences 

[Invited Paper] 



Communication Sciences Institute 
University of Southern California 
Los Angeles, CA 90089-2565 U.S.A. 
c/o milly@mizar.usc.edu 



Abstract. A nonlinear boolean function f{xi,X2,---,Xk) of k binary 
variables may be used in two basically different ways to generate a non- 
linear binary sequence, internally or externally. Internally, / may be part 
of the feedback computation of a nonlinear feedback shift register. Ex- 
ternally, / may be applied to the output bit stream of another sequence 
generator (e.g. a linear shift register) to introduce nonlinearity, or greater 
nonlinearity. A third approach is to use / to obtain a nonlinear combi- 
nation of k linear sequences. The vulnerability of systems using / in any 
of these ways to cryptanalysis depends on the multidimensional correla- 
tions of / with the modulo 2 sums of the subsets of its variables. This 
principle was published by the present author in [1] in 1959, and included 
as Chapter 8 in his book [2] in 1967. It was subsequently rediscovered 
and republished in 1988 in [3], on the basis of which it is sometimes 
known as the Xiao- Massey algorithm. Some practical aspects of the use 
of this principle in code construction as well as code breaking, and for 
other types of signal design, are discussed. 



1 Introduction 



h 



F2 



2^'^ boolean functions k 
h 2^ linear homogeneous 



h k 



h 



h 2^= 



linear inhomogeneous h 

nonlinear boolean functions k 

h binary maximum-length linear shift register sequences 
quences PN sequences h 

h h 



Fi 

2 

22'“ _ 2fe+i 



m-se- 



h 

n 

2” - h 

h 



h h 

n- 

n h 

h 



h 

n 

h 



m- 



h 



h 



nonlinearity 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 236-242, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




On the Cryptanalysis of Nonlinear Sequences 237 



2 Nonlinear Shift Register Sequences 



h 



h 



h h 



2.1 Nonlinear Feedback Shift Registers 

h h k h- n h 




k 


h h 


h h h 

register h h 

2” h h 


h nonlinear shift 


h h 

h 


h 


h h 

2 h 


h 



2.2 Linear Sequences with External Nonlinear Logic 



n- h 




m- 


2” - h 




k 




h 








2” - h 




h h h 




h k 


h 






h n h 








h 








h h 




h 


1 


h 




h k 


n 


2.3 Nonlinear Combinations of Several Sequences 




h k 




k 




k 


h 






Pl,P2, ■ ■ ■ 


,Pk 


h h h 




P l.c.rn. pi,p 2 , ■ . ■ 


,Pk 


h 


h 


h 








h 






h 


m- h 








h h 




h 




h 




h 




h h 






k : 


h 




h 


different 




238 



Solomon W. Golomb 



3 Classification of Boolean Functions 

h 22'= 



k {f Xl,X2, ■ ■ ■ ,Xk 

families orbits h h 

h 



h 

Hk 2^ k 



h h 
h 



h k 



hh 



h h h 



h z 



/ k 



h h h 22 / 2^= fc 

Hk 2 Gk h2'=+i k 

h output f h Hk 

2 Gk h fc h 

k H G 

invariants h h z h 

G h H 

h h h 

h h 



4 Calculating the Invariants 

h h 



h j 



h h 

0 h 

h h h 

h h 

z fl h h 

h h 



h h 

h h h 

k h h 2’^ 

h 2^= h 
h h 

h h 

h h 

h 

h - h 

h h h h 

h 



are h 
h 




H 

h 



h 



On the Cryptanalysis of Nonlinear Sequences 239 



h 



h 



h 



h 



h h 



G 

h 



h 



2 



Theorem 1 Let cq f x\,X 2 , ■ ■ ■ ,Xk , which is the number of 1 ’s in the 

all Xj 

truth table for f xi,X2, ■ ■ ■ ,Xk , and let To cq , 2^ — cq . Then cq is an 

invariant for the orbit of f under Hk, and Tq is an invariant for the orbit of f 
under Gk- 



Proof. 



To 



h 

h h h / 

/ Co 2^" - Co h Co 

Co, 2^ — Co G 



h 



/ Xl,X2, ■■■,Xk 
Co h 

H 



Definition 1 To and co are the zero order invariants of f with respeet to G and 
H, respectively. 



Theorem 2 For eaeh i, i k, let R\ d\,2^ — d\ , where d\ 

f xi,X 2 , ... ,Xk 0 . Then the set of numbers RI,RI, . . . , Ri, when re- 

all Xj 

arranged in descending order, forms a eolleetion of k invariants (the “first-order 
invariants” ) Tf.Tf, . . ■ ,T^ for the orbit of f under G. These are also invariants 
for the orbit of f under H. (For notational consisteney, we may denote these 
same invariants by c\,c\, . . . ,Ci, when referring to them as the “first-order in- 
variants” with respeet to H.) [The symbol 0 denotes modulo 2 addition, but the 
summation sign denotes ordinary addition.] 



Proof, h R\ 

d\,2^ - d{ 



f 

G 



x^ li 



h h. Xi 

2^-d{,d\ h h 
h 

z {Tl 

f f Xi,X2,...,Xk ®Xi h. 

h [T] H 



{Rl,Rl...,R>( 

{R\ 

h {Tl 

h 
h 



Definition 2 For every pair i,j with i j k, define d^f 

f Xl , X2 , , Xk 0 Xi 0 Xj . The complement of d^f 2^ — d^f ■ That 



Xi,X2,...,Xk 

permutation and complementation of the variables of f (not necessarily unique) 
which is consistent with yielding the values {R\ in descending order and whieh 
makes the sequence of [Tlf numerieally greatest (i.e. larger values oeeur ahead of 
smaller values, to the extent permitted by consisteney with the ordering of {T{ ) 
yields the second-order invariants T^’^, T^’^, . . . , T ^"^, . . . , for the orbit of 




240 



Solomon W. Golomb 



/ relative to G, which are also the second-order invariants c^’^, c^’^, . . . , c^’^, . . . , 
orbit of f relative to H . (The assertions inherent in this definition 
are proved in the same way as the proof of Theorem 2.) 



h 

f Xi,X2,...,Xk 0Xi2 0 . . .0Xi 



^ 2 l, 22 ,...,Zr 



h e( 



all Xj 

h k f r 

h Cr{Rr- 

G h 

h h 

2 h t 

7^12 7^13 7^14 7^23 7^24 7^34 
-^2 5-^2 5-^2 5-^2 ’-^2 ’-^2 

, , 0, Ti234 



h h h - 

h 

h 

f v,x,y,z V y z vz xz 
h To , ri,r2,T3,T4 2, 0, 0, , 

n 0 7^123 7^124 7^134 7^234 

1 ) ^^3 ,^3 ,^3 ,^3 



5 Significance of the Invariants 



2 

h 



h 



h 

h 



h 

h 



h 

h h 

h {xi,X 2 , ■ . . ,Xk r 

h r h h h 

balanced 0 

h h 

h h h 

k h h a// h 

uncorrelated h 
2 {xi,X2, . ■ . ,Xk h 

h linear 



h h 

r 0,r ,r 2 
h 
h 

h 

h 



h 



h h h 
linearly h 
h 

11 h 
fl h 



2 h h 

f Xl, X2 ; • • • 5 Xji 



n- 



f XI,X 2 , ■ ■ ■ ,Xn g xi,X 2 ,...,Xn-i 0 a:„ 



h 

h 



Xn ll 

h h 
h h 

h / 

9 
fo 

h 
n 

h 



h {aj 1 

Wj 

{aj ®{aj-r 



To 2'=“^ h g 



9 



9 h 




On the Cryptanalysis of Nonlinear Sequences 241 



h h h 

h ffh/5f0x„hh 

g®h /©x„©/i h 
h r / 

/ k 

h / 

2'=-! h h fc h / 

h 6hh / r6h 

2^^^ h h h 

h 



6 Historical Notes 

h j h 
h h 



h h 

j h 



h j 



3 9 h 



z h 



h h h j 

easy h h 

h h j 

h / Xi,X2, . . . ,Xfe j Xl,X2,...,Xfe 

h h Xj h j h j 

h hhhh hhhh 



h h 



h k 



Tl rf 



rnk ofc— 1 ( k—1 ( 

-^1 ^ [l(k-l)[ 




242 



Solomon W. Golomb 



9 9 h 



2 

h 

h 



h 

h j 



9 h h 



216 

orbits 

h 



h 

9 0 
h h 



h h 



9 2 



h h h 



9 h 2 
h 
3 

h 

h h h 
h h h 

h linear 
h 9 0 
h 

j 



, 3 

G h 



h 



h 



h 



h 



9 



h 

h 

h 



h 
9 

h 

h 



h h 
h 



h 



h 



References 

1. Golomb, S.W.: On the Glassification of Boolean Functions. Transactions of the 
International Symposium on Gircuit and Information Theory: IRE Transactions 
on Circuit Theory. CT-6 (1959) 176-186; IRE Transactions on Information Theory. 
IT-5 (1959) 176-186. 

2. Golomb, S.W.: Shift Register Sequences. Holden- Day, Inc., San Erancisco (1967). 

3. Xiao, G.-Z., Massey, J.L.: A spectral characterization of correlation- immune com- 
bining functions. IEEE Trans, on Information Theory, IT-34, no. 3 (1988) 569-571. 

4. Slepian, D.: On the number of symmetry types of boolean functions of n variables, 
Can. J. Math. 5, no. 2 (1953) 185-193. 

5. Golomb, S.W., ed.: Digital Communications with Space Applications. Prentice- Hall, 
Englewood Cliffs, NJ (1964). 

6. Siegenthaler, T., Decrypting a Class of Stream Ciphers Using Ciphertext Only. IEEE 
Trans, on Computers, C-34 (1985) 81-85. 




Securing Aeronautical Telecommunications 

[Invited Paper] 

Simon Blake-Wilson 

Abstract. 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 243-243, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




Tensor-Based Trapdoors for CVP and Their 
Application to Pnblic Key Cryptography 
(Extended Abstract) 



g 



9 



{fischlin, Seifert jOinformatik .uni-frankfurt . de 
http ; //www.mi . inf ormatik.uni-f rankfurt . de/ 



Abstract. 



1 Introduction 



V 

m 

g m 
m gw 



m 

w m 



m 

g m g 
m m 

m 



g m 

mg g m 



m 



w 



m 



m 



g w 



m g 



m 



m gw 

m w w 



g V 

w w 

W V 

m 



m g m 

V 

g m 



X m 
m 



w m w 

gv g 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 244-257, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




w 



V 



g g 



m 



w 



V 



w 



g 



V 



g V 
V 

m 



m 



2 Lattices, Reduction, and Closest- Vector-Problem 



w m 

w V m 

Definition 1 (Lattice) Given an ordered set (matrix) b\ b of 

linear independent eolumn veetors in , the set of all integral linear eombina- 
tions of the vectors 



£ I 6 - b 

I =1 =1 

is called a lattice generated by the base . Its dimension is m and if 

we call it a full dimensional lattice. The vectors are called lattice points. 
A lattice sub — with m sub m is a sublattice of . Sublattices of 
are called integer lattices. 



V 

g g m 

w 

m X — 




V 

m 



g 



]■ w 



V w 

g g 

m 



Definition 2 (Reciprocal Base and Lattice) If is a base for the lattice 
— , then the — matrix * with — * t called the reciprocal 

(or dual) base to . * C * is called the reciprocal lattice to . 



w m / 



m 



Definition 3 (Determinant) The determinant of a lattice C 

with base vectors b\ b is the -dimensional volume of the fundamental par- 



allelepiped 0 

sional lattice — 


b which eguals 


T 


and in case of a full dimen- 


V 


m 




— W V 


e — 




g V 


bi b 


V 


m 


m 


m 


V g 


g m 


-e 

0 


— V 


bi 


b 


w 


Gram- Schmidt or- 


thogonalization b\ 


b w m 

A) b - A) - 


g 


w m- m 

hi bi 




b b 



g 

V 

g 



-1 

=1 



g 



b 

w w 

m 



m- m m 



^ - 

g 

bi 



=i-b- g 

g 

b — “ V b 



g 



b 



V 



0 

bi b - ^ 

bi b 

b — 



Definition 4 (Successive Minima) The successive minima ofalat- 
tice — is the smallest 0 such that there are linear independent lattice 

points vi V — — {)—with ^ — . 



w V g 

m 



V m m m 



Proposition 1 (Minkowski 1896) If — is a lattice, then i 
1 

dim L 



w 



V m 

1 



m 

1 

dim L 

m 



w 



2 1 
g 



V V 

V m m 



0 m 
m z 
m X m m 
7 

m 



1 



m 



m m 
m w 



Definition 5 (Closest- Vector-Problem CVP) Given a full dimensional lat- 
tice — and a point x — the Closest-Vector-Problem is to find a lattice 
point b — with minimal distance x m ^ -x — b—. 






X m 

g m 

V 



g m 
V w 

X m 

X 0 

X w 



V g - 

w 

g 

m m 

g m 
w w 



Lemma 1 (Nearest Plane) Suppose is a full dimensional lattice given by a 
base bi b with -b — . For x — with x — one can ejficiently 

compute the uniquely determined closest lattice vector. 

m V 

g g g m 

g z - 4 

Definition 6 (Lattice Reduction) Given a base b± b and — 

denote C b ^min( + -i ) - ca// the base -reduced if 




a) - — ^ for - - . 

b) -b - I for 

There are two speeial cases: For it is called LLL base and for one 

calls it HKZ base. is a reciprocal -reduced base, if the reduction holds for the 
reverse ordered reciprocal base * [LLS90]. 



m 



V 

-z V 



m 



m m 



w g 

1 gv 

- 0 - 00 
V z 



m 



m 



m 



m 



m 



Proposition 2 ([LLL82, LLS90]) Let bi b be a base of the lattice 
— . For 

a) If is LLL reduced, then -b ^ ^ piiyT' 

b) If is reciprocal HKZ reduced, then -b . 

7 

w 1 7 ^ m 

0 4 4 m 4 



3 Tensor Product of Lattices 



g 4 w 

m m w m w 

V w m 

(g) w m 

C w 

m X — m X 

mg X m 

0 w 



m X 



V w 
w - m 
^ 1 1 2 “ 



1Q9 2 

1 — ^ 2 ■ 
w w m 



— 2 



( 1 - 1 ) 2 + 1 ( 1 - 1 ) 2+2 1 2 “ 2 



1 



1 



1 




m V 



g 



1 



w V 



2 



Proposition 3 Suppose i 2 are two full dimensional lattices. Then we have 
mi® 2 mi— m2 and 1® 2 1 2 

K w V 1 



1® — ® 



n,=ii dim 



Proposition 4 Suppose 1 2 are two full dimensional lattices. Then we have 
1 i®2 — 1 1—1 2 with equality if m 1— 4 or m 2 — 4 . 

4 CVP-Based Public Key Cryptosystems 



Frame Work. 



X — w 



pub ^ pub W 

pub m gw 



pub V m g 

g m 



m m 



V V 



mm m X 



X mg 

m g m g 



g V 



m g rn 



V e — w -e- 



y pubui 



y m e 



w b m 



e -e 



w ^6 



m m X m g v m 

g m X g g w m 

m fl g g m 




9 




Finding the Tensor Decomposition. 








w 


g 


g m 


g 


m 






w 


m 


V 




m 






m 


m 








m 


V 




m 


g 






m 


V 


w 










w 




m 








m 


g 


m 


m m 








m 








w m 






w 




m 


w m 


V 


m m 




X 


m 


w 


V 


V 




m 




m 




m 


w 


m 




m 






m 


4 






m 


V 












g g 


m 


m 






1 


C 


2 C 




m 




1(8) 


2 






m 


g V 




X W V 














/ dim 


1 / dim 2 


/ dim 




dim 2 






( =. 


( .. 




=1 


2 


m V 




g 






g 


W 








m 


g 




th 


m 


w 


m 2 




g g 
m 


m 




dim 2 


m 


m V 


2 




V 






2 


g 


g 


g 








g 




m 


V 


V 










g 


V 


g m 












^dim 


1 -dim 2 
dim 2 


( 












Attacks by Lattice Reduction. 


m 




V 


W 








m 


- 








m 




m g X pub^ 



ext § 



g m 



m X 



[X pub( 

0 



pub ( 

0 



m 



+1 



m 



X m 
g g 



2 ext 1 pub 

V ext W 

^ m m z 



m g 



ext ^ext ^ ^ 

V 6ext V 

1 pub ^ 

1 



m 

g m 



m 

V 



m 4 

V w 

V 



m 

1 

2 



m 

0 



w_ 

1 

2 



m 

m 



V g m 

V 



m y 
m w 



V V 

pub^TT- m 

g w 



X m 



V 

m e -R 



Comparison with McEliece Scheme, 



m 

mm 



m 



m w 

m 

g 

0 

m X 



V 

m 



g m g 

m 

g — m X 

— m mm mm g 

m pub V 

m m X 

g m X m g — 

m g y m pub ^ V m 



m 



w 



m X 
m 

w g 

m 



m g g 

m m X 

g 

w m g 



w g 



m 



m X 



mm g 



m 

V 



r > 



6gL\{ } ||6|| <r-Ai L 




m 



w g 



m 



g mm 

m m g m w 

m w - w m m 
m X V 

g m m w g m 

m mm 

g V m w 

V g m g 



w 



m g m 



g m 



m 



5 HKZ-Tensor- Trapdoor 



g V 



g g 

V m w m 

w 

X w w 



Proposition 5 Suppose and are bases of two lattices with -a — and 



1 



— . For the base 



of C we have 






r 



w m 
w m 
w 

w 

X 



m 

w m w 

g 



m g 

w m — 4 

g 

g w m 

X 

m 



1 09 2 ^ 



( .1 



(( « ( 



= 1 



1 1 



=1 



w 

g 



g w 



V m 

V w 

w V 7 
- m 



7 
g V 



^ tI 1 



7 g 




V 



X m 



V 



w 



6 Tensor-Hiding- Trapdoor 



g w 



decode 



g g m w 



decode hide W 



V decode decode 4 hide hide 



V m HI 1 decode 
decode W 



decode decode 



m X m m m 



decode decode 



decode decode 



1 decode 



1 decode 



decode 



g m g 



m g V 



decode*^ hide 



decode 1 



m g 



g m X w 



m X m m m x 



decode hide 



V g X 

y b e w b — ww 
g V g m m 



m hide w 



m g 



V w 




7 Conclusions and Open Problems 



m 



m 



m 



m 



1 2 



X m 



m 



w g 



m 

V 

g 

1 2 
m 



w 

g 



m w 
m 



V g 

V 



m 

V 

1 ® 2 



References 



On Lovdsz’ Lattice Reduction and the Nearest Lattice Point 
Problem 9 

9 Cryptanalysis of the Original McEliece 

Cryptosystem 9 99 99 

9 An Introduction to the Geometry of Numbers 

99 

9 A Course in Computational Algebraic Number Theory 

99 

Sphere Packings, Lattices and Groups 
9 

Hermite Normal Form 

Computation using modulo Determinant Arithmetic 

9 9 

9 Succinct Certificates for Almost all Subset 

Sum Problems 9 9 

9 Publie-Key Cryptosystems 

from Lattice Reduction Problems 9 9 

Minkowski’s Convex Body Theorem and Integer Programming 

9 

9 Arithmetic of Quadratic Forms 

99 

Factoring Polynomials 

with Rational Coefficients 
9 

9 Korkin- Zolotarev 

Bases and successive Minima of a Lattice and its Reciprocal Lattice 

99 

) Handbook of Matrices 99 

The Theory of Error Correcting 
Codes 9 

9 Les Reseaux Parfaits des Espaces Euclidiens 99 

9 Lattice Points in high- dimensional 

99 



Spheres 




99 

9 



9 

9 



+9 



9 



Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosys- 
tem from Crypto ’97 99 

Recognising Tensor Products of 

Matrix Groups 9 99 

Approximating Integer Lattices by Lattices 
with cyclic Factor Group 9 9 

On Decoding Iterated Codes 
9 

A Hierarchy of Polynomial Time Lattice Basis Reduction 
Algorithms 9 

Block Reduced Lattice Bases and Successive Minima 

99 

Attacking the Chor-Rivest Cryptosys- 



tem by improved Lattice Reduction 
99 



9 



9 



Lattice 



Attacks on the GGH Cryptosystem 9 

Encryption by Random Rotations 
9 9 

Cryptography: Theory and Practice 



99 



99 



A Quasi-Random Orthogonal Matrix 



4 W 

X W 

gg 

g 

m m X 

T 



m w g 
m 

g g m 

m 

w 

1 



m g 
g 

m m 

g m 

— m X w 
g m X 



g w 

V w 

4 

m m 



m g 

m 

“ g m 



m m X 
m 

g m X 
“w 



m - 



g 



m - 



w 


m 




fl 


g 


m X 






w 










pub 




w 










V 


m m 






' 


e w 


-e 


w 


m 


-e 


V 




m 


m 


m 



w m m 

g g 



V pub 

m X 
m 



V 



g 



m 



w 






X m 






— m g m 


1 2 


■F ~ 


m 


m 


X “ 






( 1 




{ 












g __ 




m 






B Proof of Proposition 5 






V W 




w 




— -b w w 






0 


I 


0 £ '' 


Proposition 6 For two orthogonal matrices 


the Kronecker product 


® is orthogonal, too. 










w w 


m 






m X 


w 






w 


g 


m X 








- 


g m X 








— 


g m X 


w 


g 


m 


m 


w w m 




m- m m 




? ^ 
\ g 


W V 




m- m 

g 






w w 




m V g 


V 


V 


w 








0 0 


0 




0 0 


w g 


( 


( 0 ( 




( 




( 




® ( 




( ® 




(A ® ( 




g m 


X 








(-91 


0 


( 

_ ( 


(^1- 0 ( 
( ( 




( 0 




^0 -b 


w 


m£ 


m£ 




V 

g 




g m 


X 




gw V 




g 


m X w 




g m 


g 




0 




g g 


w 






w g 


w 


g 












C Choosing a Random Lattice 



m 



m m 
w w 



w 

m 



Hermite normal form 
m mm 



g V 

m X 



g m 



m m m w 
m 

mg m g V 

-z 



m 

V 

~R 



X 

g V 

m m 



V m m g 1 
m 

m m 
w 



g V m 



m g 



m m 

m m 



w g 

V 

g 



X 



; =1 



0 m 



V w 



g 1 



1 a 



0 X 



W 

m m 



X mm 
g V 



m 



g 

a —R 



( = 



V -z X — n 

gw w 

m m g V a; 

0 



n 



oSr[1 )” 



1 a 



V V 

0 

V m 



X m 



V 



— 2 




2 




0 



m 



0 



g 



w 

m 



w 



w 



oeR[i ) 



0 



0 m 



w 



a — R 



w 




i+i+i 

a 



m 



1 



V g 



( 1 + 1 ) +1 




Delegated Decryption 



Yi Mu, Vijay Varadharajan, and Khan Quae Nguyen 

School of Computing and IT, University of Western Sydney, Nepean, 
P.O.Box 10, Kingswood, NSW 2747, Australia 
yimu, vijay , qnguyen @cit .nepean.uws . edu.au 



Abstract. This paper proposes a new public key based system that 
enables us to have a single public key with one or more decryption keys 
and a unique signing key. One straightforward application for our system 
is in delegated or proxy based decryption. The proxy based decryption 
requires that the decryption authority can be delegated to another party 
(proxy) without revealing the signing key information. This suggests that 
the proxy who has the legitimate right for decryption cannot sign on 
behalf of the public key owner; only the legitimate signer can be the 
owner of the public key. 



1 Introduction 

Public key cryptography is generally considered to be asymmetric, because the 
value of a public key differs from the value of its corresponding secret key. One 
paramount achievement of public key cryptography lies in the fact that it en- 
ables both encryption and signature, where a secret key can be used for both 
decryption and signing, while its corresponding public key can be used for both 
encryption of a message and verification of signature. It is clear that in a pub- 
lic key system a party who can decrypt a message must possess the associated 
secret key that can also be used to sign. 

Let’s consider the situation where you want some party to check your en- 
crypted email messages, whereas you do not want the party to sign on your 
behalf. The common solution for this situation is to disable the signing function 
of the secret key by explicitly specifying the public key as encryption only and 
the secret key as decryption only. On the other hand, you need to have another 
secret-public key pair for yourself, which can be used for signing. This approach 
is not convenient due to the maintenance of two key pairs and the separation of 
public key’s duties. Moreover, for some popular email software such as PGP and 
PEM you can not disable the signing capacity of a secret key. 

It is quite clear that we want a public key system where several secret keys 
map onto a single public key. This kind of mapping can actually be found in 
group signatures[l,2,3,4]. In a group signature system, any one in the group can 
sign using its secret key on behalf of its group. The signatures can be verified 
with the unique group public key. However, we can not use the method of group 
signatures in our system, because all existing group signature schemes cannot 
be used for encryption. 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 258-269, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




Delegated Decryption 259 



In this paper, we propose a proxy decryption system that addresses the prob- 
lem raised above. In our system, there are two different types of secret keys as- 
sociated with a unique public key. They are called owner secret key and proxy 
secret key(s) respectively. The owner secret key is to be used for signing, whereas 
the proxy secret key(s) are to be used for decryption only. Our scheme relies on 
the difficulty in solving discrete logarithm problems associated with polyno- 
mial functions. Both the encryption and signing methods are based on ElGamal 
algorithms [5]. 

There are a couple of immediate applications of our scheme. First, let us 
consider a boss-secretary environment. The boss (say. Bob) in an organisation 
could be too busy to read his emails and may allow his secretary or proxy (say, 
Alice) to handle his encrypted incoming emails; However Bob does not allow 
Alice to sign. Second, consider an electronic commerce environment. In a bank, 
it may be necessary that majority of staff can receive and verify signed and 
encrypted electronic cash and cheques, whereas only some of them are allowed 
to sign/issue electronic cash and cheques on behalf of the bank. 

The rest of this paper is organised as follows. Section 2 describes the cryp- 
tographic polynomial functions required for our scheme. To simplify our pre- 
sentation we introduce the concept of vectors. The main task of this section is 
to prove that the designated vectors used in our system are secure. Section 3 
outlines the setup of our system and defines the cryptographic keys to be used. 
Section 4 is devoted to the proxy decryption scheme and the associated digital 
signature scheme. Section 5 describes two interesting extensions to the system, 
where we study how to combine a signature with an encryption. We also study a 
proxy signature scheme, where a proxy (or proxies) can sign on behalf of the key 
owner in such a way that the signer can be recognised as the legitimate proxy 
by the signature verifier. The final section is the conclusion. 

2 Preliminaries 

In this section, we discuss the polynomial functions and introduce the concept 
of vector space. 

2.1 Construction of Polynomial Functions 

Throughout the paper we use the following notations: is a large prime, — * is 

a multiplitive group of order — 1, and * is a generator. 

Given vectors a = ( o i ) ~ (~ -i) and b = ( o i ) — 
(— _i) where — — _i, the inner product of a and b is defined as 

a -b = XI =0 (mod — 1). Vectors a and b are called orthogonal, iff the 
inner product a -b = 0 ( mod — 1). 

= 12 , let 

o=II(- ) 

=1 



Lemma 1. Given 



-1 




260 



Yi Mu, Vijay Varadharajan, and Khan Quae Nguyen 



."Eni- ) 

! (1) 
-2 = I](- )(- ) 

= ) 

= 1 

= 1 

Then the vector a = ( o ) is orthogonal to the vector ^ = (1 ^ )> 

i.e. a -X =0 for = 1 

Proof. Given = 1 , consider the function ( ) = fl =i( “ )• We have 

() = n=i(- ) = n=i(- )+(E=in=(- )) + +e=i(- ) -'+ 

= 0 + 1 + 2 ^+ + • Therefore, E =o = 0 or a -x^ ^ = 0. □ 

We can see that, if i are given, it could be possible to find , = 

1 , by solving the equations a-®*' ^ = 0. The question then is how to hide the 

information of a such that all vectors ^ that are orthogonal with a become 
computationally hard to determine. More precisely, we require our system to 
satisfy the following criteria: 

(a) a = ( 0 ) is hidden such that it is computationally hard to be deter- 

mined. 

(b) It is computationally hard to determine a vector x^ ^ such that a-£c^ ^ = 0. 

(c) Given some hidden information of a — (— _i) where x^ ^ -a = 0 (mod — 

1) =1 , it is computationally hard to determine a +i — -i that 

is not equal to =1 , and a = ( g — (— _i) such that 

x^ -a = 0 (mod — 1) =1 +1. 

The criteria (a) and (b) can be realised due to the difficulty in solving discrete 
log problems: 

Lemma 2. Let g{a) = { ° ^ ") — ( o i ) mod . Given g{a) for 

*, it is computationally hard to determine a vector x^ ^ such that a-a:^ I = 

0 ( mod — 1) or “ = 1 ( mod ). 

Proof: Immediate. Based on discrete logarithms, the difficulty is due to finding 

= log is hard and finding a such that H =o ^ ~ ^ i mod ) is hard. □ 
However, Lemma 2 does not cover Griterion (c). According to Lemma 3 below 

it is easy to find a +i _i such that the dimension of g can be arbitrarily 

increased without the need knowing , = 0 




Delegated Decryption 261 



Lemma 3. Assume that g = { o i ) 'is given as in Lemma 2. Given 

+1 _i, a new veetor g = ( o «+i) can be determined without the 

knowledge of ,= 1 , such that ® = l [mod ), for = , 

= 1 +1, where a' = ( g _i_g). 

Proof: Let a=(g ^j^)be the coefficients of the polynomial function 

( ) = n =i( “ )( “ +i) = a Given the information ( o ), 

=01 +1, can be determined in the following way: 



S' 1 

II 

III 
1 












fc-i 


TI+ 1 k 




= -i( 


) „+i 0 




Note that "+i = 


- ("+i) 

. It is easy to check that 2 =1 


( mod ) for all 


= 0 +1. 




□ 



The problem given in Lemma 3 is serious, as we will see later that it is 
equivalent to allowing any user to legally add proxies to the system. In Corollary 
1, we show that this problem cannot be solved by simply adding a secret salt 
parameter (say, — — _i) to in the way of where is hidden by . 

Corollary 4. Assume that i 2 are solutions 0 / ( ) = =0 = 

0, where may be not equal to 1 (due to the salt). If “ ^ " are 

known, given + 1 , 0 1 n+i can be determined, without the knowledge 

of I 2 , sueh that funetion 

( ) = 0"+ r + + k+i = X 



/or = =1 +1. 

The proof is straightforward and is omitted. 

From Lemma 3 and Corollary 1, we conclude that one way to avoid someone 

illegally adding +1 to the set 1 2 is to hide one of the elements of 

1 _i which are defined in Eq. (1). To achieve this, the following method 
is recommended. 

For the given (012 )> we define a new vector a = ( 0 12 

), where ^ = = -i = X] • Let “' = (<> 1 2 «-i 

") and = S =1 = ) then “ 2 = 1 ^ for all =1 

Since • are not given in a clear form, i.e. they are hidden in » =1 — 1, 

the issues raised in Lemma 3 are solved. For the sake of convenience, we rewrite 
“ as g, then g = — — =o- 

3 System Setup 

The system of proxy decryption consists of several senders, a boss and several 
decryption proxies. 




262 



Yi Mu, Vijay Varadharajan, and Khan Quae Nguyen 



— Encryption. Any party can encrypt a message using the unique public key 
of the boss. 

— Decryption. Either the boss or any legitimate proxy can decrypt the message 
encrypted with the owner or boss public key. 

— Signature. Only the boss can sign a message that can be verified by any 
recipient using the boss’ public key. 

Let Bob be the boss and Alice be his secretary, a proxy. Bob is the principal 
who owns the public key and the associated secret or decryption keys. In order to 
construct the secret-public key pair, Bob needs to choose a vector ^ and the 
associated secret vector a such that a -a;*' ^ = 0 for = 0 . The properties 

of a and ^ are as described in the previous section. 

To construct his secret-public key pair for a single-proxy system (without los- 
ing generality, let’s set = 3 ) , Bob chooses three random numbers, 123 — 
— _i and computes =0 3 . must be sufficiently large such that find- 
ing discrete log = log • is hard. Bob then picks a number /3 — — _i at 

random and computes its inverse and proxy parameters — (3 , for = 

12 3 . Consider the set — " ( ” ^ ^ ^), for = 0 1 4 . 

Namely, '0 = O) '1 = '2, *3 = and "4 = . The public key of Bob is then 

— — ' — ; Bob keeps 1 , 2 , 1 , 2 and all ’s and can use either 1 or 2 

as his secret decryption key and ’s as his signing key. Bob gives 3 and 3 to 
Alice who uses 3 as her secret proxy key and 3 as her proxy parameter defined 
as follows: 

Definition 5. A proxy parameter is an indieator that proves to another party 
the legitimacy of the proxy. Proxy parameters are public. That is, 

— they are not secrets to the public, 

— they can be distributed along with signatures, and 

— unlike public keys, they do not need to be signed by a trusted authority. 

Proxy parameters have to be computed by Bob. Each proxy needs to have 
a proxy parameter to be used in proxy decryption and proxy signing. We will 
see later that proxy parameters may actually be kept private when only encryp- 
tion/decryption is involved in actual applications. They become public only for 
proxy signatures. 

4 Proxy Decryption 

Conceptually, we describe proxy decryption as follows: 

Definition 6. Given public key — and its corresponding owner decryption key 
, owner signing key and the proxy key , the ciphertext — ( ) of message 
can be decrypted using either or , i.e. = ( — ( )) = ( — ( )). 

Only but not can be used to sign, i.e. — ( ( )) = and — ( { )) = 

This definition has omitted proxy parameters . Proxy parameters are only 
needed during a decryption process, whereas encryption involves only the public 
key of Bob. Bob and Alice can keep their proxy parameters secret if they wish. 




Delegated Decryption 263 



4.1 Encryption Scheme 

Consider a simple situation where three players are involved in the protocol, a 

sender, Bob and Alice. The public key in the protocol is ( " ). Let 7 i be 

a one way hash function and be the message to be sent to Bob by the sender. 

The idea of this protocol is for the sender to encrypt using the public key 

and produce the corresponding ciphertext that can be decrypted by either Bob 
or his proxy, Alice. 

To encrypt a message , the sender computes = 'H[ ) and encrypts 
using Bob’s public key to obtain the ciphertext — ( i 2), where 1 — 

( ~o ~ ) — 1 4 , and 2 = (mod ). is sent to Bob whose computer 

then automatically forwards the message to Alice. 

Since Bob possesses the secret key, = 1 or 2, and Alice possesses the 

proxy key = 3 , either Bob or Alice can obtain by decrypting the ciphertext 
2. The decryption key used to decrypt 2 can be obtained by using either Bob’s 
secret key or Alice’s proxy key: 




^2 

The last equality holds because =0 ~ message can be recovered 

by computing = 2 (mod ). Once is obtained. Bob or Alice can verify 
the correctness of the encryption by checking whether 1 — — ~o ~ “ with 
= H{ ) ( mod — 1). 

Theorem 7. Encryption protocol. 

Completeness. For a given ciphertext , if the sender follows the eorreet pro- 
eedures, both Bob and Aliee will receive the same message. 

Soundness. (1) The sender cannot cheat by produeing the ciphertext that can 
only be deerypted by Alice. (2) The recipient can verify the eorrectness of the 
encryption process even if he does not have the group publie key. 

Proof. 

Completeness. The proof is straightforward. As shown above, any one with a 
valid can decrypt the ciphertext and hence obtain the message 
Soundness. ( 1 ) Notice that a is orthogonal to all x and based on the discussion 
given in Section 2 , a cannot be modified. Therefore if x can decrypt the cipher- 
text, any x , = , can also decrypt it. (2) The proof is as follows: Once the 




264 



Yi Mu, Vijay Varadharajan, and Khan Quae Nguyen 



message is decrypted, Bob or Alice can verify the correctness of ciphertext. 
It is done as follows: 

— Compute =‘H{ ) (mod — !)• 

— Compute ~ for = 1 4 and "o = ( o)^ (mod ). 

— Reconstruct the group public key — = ("), =01 4. 

— Verify the correctness of the newly constructed public key by checking 

4 ^ a ajj — X with his private key 

Since is computed using H[ ), all the verifications are successful if and only 
if the sender follows the correct procedures. □ 

4.2 Signing Scheme 

The signature scheme is based on the ElGamal signature scheme [5]. In our 
system, Bob can sign a message and his digital signature can be verified using 
his public key; whereas Alice cannot sign on behalf of her boss. 

We assume that the signer is Bob. The system is set up by Bob in the 

following manner: Bob chooses a large prime , selects a primitive element 

*, computes his secret or signing key such that = where 4 = 

\ and sets the public key parameters to the tuple ( ) with = " • 

Note that can be computed by the verifier; so Bob does not need to inform the 

verifier of . Actually, the public key is still in the form of = ( " ). 

To sign a message , Bob carries out a regular ElGamal signing operation, 
i.e. he first picks a random number — — _i such that any is relatively prime 
to — 1 and then computes = (mod ) and = ^^( — ) (mod — 1 ) 

to form the digital signature — — — — where * and _i. The 

signature — is then sent to the verifier. To verify the signed message, checks 
= . If the equality holds, the signature is accepted. 

5 Extension 

In this section, we describe two interesting extensions to our scheme: sign- 
encryption and proxy signature. 



5.1 Proxy Decryption with Sign-Encryption 

In a sign-encrypting system encryption is combined with a sender’s signature, 
sometimes called signcryption[ 6 ]. The advantage of such a scheme lies in the 
reduction of computational complexity. In other words, it is computationally 
more efficient than signing and then encrypting a message. 

We propose such a sign-encryption by combining ElGamal signature scheme 
with our encryption scheme. Assume that the secret-public key pair of the sender 
consists of ( ) , where = = ( mod ) and . 




Delegated Decryption 265 



To send a message to Bob, the sender carries out the following steps: 

1 . Chooses a secret encryption key — — -i, two random numbers i 2 — 

— _i that are relatively prime to — 1, and * of order — 1 a primitive 

element. 

2 . Computes: 

1 = 1 (mod ) 

2 = ^ (mod ) 

= 1 2 (mod ) 

1 - ( 2'o '1 '2 "3 ^4) (mod ) where =1+2 

2 = (mod ) 

= ~^( - 1 ) (mod - 1 ) 

2 and are known only to the sender. The sign-encrypted message is then 
- ( 1 2 1 )■ 

3 . Sends to Bob whose computer may forward it to Alice. 

Either Bob or Alice can open and verify the message by computing the decryp- 
tion key and recovering the message : 

= M l( 2^0 II' T 4 1 
= ^ Elo . ^ 

si 

= ( mod ) 

= 2 

Theorem 8. Sign- encryption Protocol. 

Completeness. If the sender follows the correct process, Bob or Alice will 
always aecept the sign- encrypted message. 

Soundness. A eheating signer cannot convince the verifier to accept the sign- 
encrypted message. A cheating verifier cannot recover the sign- encrypted 
message. 

Proof. 

Completeness. The proof is straightforward by inspecting the protocol. Note that 
the completeness of the protocol follows from the properties of ElGamal algo- 
rithm. 

Soundness. The message recovery is the combination of the ElGamal encryp- 
tion and signature schemes. We examine the soundness by inspecting both the 
signature verification part and the encryption part. The encryption part is the 
ciphertext of 2 ~o ^^id is based the same scheme used in Protocol 1 . According 




266 Yi Mu, Vijay Varadharajan, and Khan Quae Nguyen 

to the lemmas given in Section 2, only the recipient who holds a valid secret key 
or proxy key can recover the message. The signature part can be written in a 
more obvious form: 



Signature: i = ^ ( mod ) 

= '^( - 1 ) (mod - 1 ) 

Message recovery: = ” H i 2 ) 

= 2 

We find that it is a variant of the ElGamal signature scheme and is equivalent 
to the signature message recovery [7]. Actually, we can refer to the ElGamal 
signature as a special form of our scheme by omitting parameters 2 ^ and 2 
from the expressions above. The security in such systems is similar to discrete 
log problem in the ElGamal signatures. Eor example, assume that Eve tries to 
forge a signature for a given message , without knowing . Eve chooses a 
value and then tries to find the corresponding ; for this to be successful she 
must compute the discrete logarithm log ^ . □ 

5.2 Proxy Signature 

In some cases, Bob may allow Alice to sign on his behalf, when say he is not 
available. This is the so-called proxy signature. Any verifier can use the boss’ 
public key to verify her signature. It is important that proxy signatures should 
be distinguishable from Bob’s signatures. 

The concept of proxy signature was first presented in [ 8 ]. However, our proxy 
signature scheme is fundamentally different. We define our proxy signature as 
follows: 

Definition 9. Given public key — of Bob, proxy secret key and the asso- 
ciated proxy parameter for proxy , the proxy signature on is defined as: 
= ( )— ■ The proxy signature can be verified using — , i.e. = — ( ). 

The Scheme There is no additional setup requirement for enabling proxy 
signatures. Assume that the system is being set up by Bob. The secret key 
for Bob and Alice are 1 (or 2 ) and 3 respectively. The public key is still 

— = ( — * — To sign a message , Alice first picks a set of random numbers 

— — _i =0 3, such that any is relatively prime to — 1 and then 

computes 

= ~ • ( mod ) =12 3 

1) =12 3 

). To verify the signed message. 



and 



= ^( — ) (mod - 



to form the digital signature — 
the verifier checks 



n 

=1 



4 



0 




Delegated Decryption 267 



Theorem 10. Proxy signature protocol. 

Completeness. The receiver of the signature will always receive a correct sig- 
nature from the corresponding proxy, if the proxy and verifier are honest. 
Soundness. A cheating proxy cannot convince the verifier to accept the .sig- 
nature. 

Proof. 

Completeness. Immediate. 

Soundness. Assume that the proxy signature can be forged by an adversary, Eve. 
Then given *, Eve should be able to hud some ~ and ~ such that 

3 

' ~ where =4 ^ q 

Assume that the above equality holds. Then given ~ 2 , ~ 3 , 2 and " 3 , Eve should 

be able to determine ~i and ~i and the above equation can be rewritten as 

= or = where = — 

This, however, violates the ElGamal’s properties. □ 

Untraceable Proxy Signature As mentioned in Section 3, each proxy param- 
eter is unique to each proxy. Proxy parameters are not secret, so proxies in the 
above scheme are traceable. Since proxy parameters are not linked to the iden- 
tities of proxies, it is easy to make proxies anonymous. In fact, we can slightly 
modify the protocol so that the proxies also become untraceable: 

In the setup step, the proxy also initialises a random number 7 — — _i 

such that has the new form: 

= “^(7 - ) (mod - 1) =12 3 

to form the digital signature — = ( 7 ) . To verify the signed message, 

the following confirmation protocol is needed: 

1. The verifier computes — n^=i ~ ' 4 '^ ^ ■ Please note that if this step 

was implemented correctly, we have = . However, because 7 is un- 

known to the verifier, three additional steps are needed to complete the 
verification. 

2. The verifier selects a random number — — _i and computes its inverse 

The verifier then computes 4> ^ ) and sends 4> to the signer. 

3. The signer computes — fP and then sends to the verifier. 

? _ 

4. The verifier checks = q 

Obviously, the proxy’s signature is untraceable, since verifier cannot link 
proxy parameters in different signatures to a particular proxy. Nevertheless, the 
untraceability applies only to users excluding Bob. This is because Bob has full 
information about , and therefore he can obtain 7 very easily by checking 





268 



Yi Mu, Vijay Varadharajan, and Khan Quae Nguyen 



Theorem 11. The untraceable protocol: 

Completeness. If the prover and verifier follow the protocol then the verifier 
aecepts the signature as a valid signature of . 

Soundness. A cheating prover cannot convince the verifier to accept the sig- 
nature. 

Proof. 

Completeness. There are two facts: First, the secret number and its inverse 
are known to the verifier only. To remove in the prover or signer is faced 
with a discrete log problem. Second, only the prover knows the secret number 7 
and its inverse 7“^ and hence can remove 7 in <p. Therefore, the verifier accepts 
the signature if = (T ■ 

Soundness. Assume that a cheating signer who computes without using one of 
proxy or owner secret keys and thus generates — _ = ( 7 ) • This will 

result in a value other than in the verification: n^=i " ’ ; ^ j 'A* 

The verifier then selects ( and computes (mod ) that is then sent to 

the cheating signer. One way that he can convince the verifier is to find and 
compute ( ) . However, he needs to solve the discrete log problem, log , 

which is computationally hard to him. □ 

It is noted that the proof of knowledge on 7 by the signer is equivalent to 
proving her ability of removing 7 from . Therefore, we can make the verification 
process non-interactive by adapting non-inter active equality proof of discrete log 
proposed in [3]. In our case, the prover is the signer, who should prove that 
she knows 7 without revealing 7 to the verifier. The common knowledge is the 
primitive — g . The prover will prove that s/he knows the secret 7 from 
(mod ) without revealing 7. 

The prover: 

— Chooses — — _i at random and computes — (mod ). 

— Computes = H( — — ) (mod — 1) and = — 7 (mod — 1). 

— Sends ( ) with other signature data to the verifier who can verify the 

knowledge of equality proof, by checking = (mod ), where = 

ULi" ‘ 4 "^ 

Readers are referred to Ref. [3] for details of non-interactive discrete log proof. 
Please note that the security assurance relies on the fact can only be computed 
after has been computed or after has been chosen. 

6 Conclusion 

We have proposed a public key based system, where the tasks of decryption and 
signature have been separated by introducing proxy keys. Our system is based on 
a special polynomial function whose security properties have been investigated 
and found to be suitable for our system. Furthermore, we have also extended our 
scheme to sign-encryption as well as proxy signatures that allow proxies to sign 




Delegated Decryption 269 



on behalf of the owner with the condition that their signature can be identified 

only by their owner. We believe that our system has its potential applicability 

in electronic commerce. 

References 

1. D. Chaum and E. van Heijst, “Group signatures,” in Advances in Cryptology — 
EUROCRYPT ’91, (New York), pp. 257-265, Springer- Verlag, 1991. 

2. L. Chen and T. P. Pedersen, “New group signature schemes,” in Adances in cryp- 
tology - EUROCRYPT’94, Lecture Notes in Computer Science 950, pp. 171-181, 
Springer- Verlag, Berlin, 1994. 

3. J. Camcnisch, “Efficient and generalized group signatures,” in Adances in cryp- 
tology - EUROCRYPT’97, Lecture Notes in Computer Science 1233, pp. 465-479, 
Springer- Verlag, Berlin, 1997. 

4. J. Camenisch and M. Stadler, “Efficient group signature schemes for large groups,” 
in Advances in Cryptology, Proc. CRYPTO 97, LNCS 1296, pp. 410-424, Springer- 
Verlag, Berlin, 1997. 

5. T. ElGamal, “A public-key cryptosystem and a signature scheme based on discrete 
logarithms,” in Advances in Cryptology, Proc. CRYPTO 84, LNCS 196, pp. 10-18, 
Springer- Verlag, Berlin, 1985. 

6. Y. Zheng, “Digital signcryption or how to achieve cost (signature & encryption) — 
cost (signature) + cost (encryption),” in Advances in Cryptology — CRYPTO ’97 
Proceedings, Springer Verlag, 1997. 

7. K. Nyberg and R. A. Rueppel, “Message recovery for signature schemes based on 
the discrete logarithm problem,” in Advances in Cryptology, Proc. EUROCRYPT 
94, LNCS 950, (Berlin), pp. 182-193, Springer- Verlag, 1994. 

8. M. Mambo, K. Usuda, and E. Okamoto, “Proxy signatures for delegating signing 
operation,” in Proc. of the Third ACM Conf. on Computer and Communications 
Security, pp. 48-57, 1996. 




Fast and Space-Efficient Adaptive Arithmetic 

Coding* 



Boris Ryabko^ and Andrei Fionov^ 



Siberian State University of Telecommunications and Information Sciences 
Kirov St. 86, Novosibirsk 630102 Russia 
{ryabko, fionovjOneic .nsk. su 



Abstract. We consider the problem of constructing an adaptive arith- 
metic code in the case when the source alphabet is large. A method is 
suggested whose coding time is less in order of magnitude than that for 
known methods. We also suggest an implementation of the method by 
using a data structure called “imaginary sliding window”, which allows 
to significantly reduce the memory size of the encoder and decoder. 



1 Introduction 

Arithmetic coding is now one of the most popular methods of source coding. Its 
basic idea was formulated by Elias in the early 1960s (see [1]). However, the first 
step toward practical implementation was made by Rissanen [2] and Pasco [3] 
in 1976. Soon after that in [4,5,6] the modern concept of arithmetic coding was 
suggested. The method was further developed in a number of works, see, e.g., 
[7,8]. 

The advantage of arithmetic coding over other coding techniques is that it 
allows to attain arbitrarily small coding redundancy per one source symbol at 
less computational effort than any other method (the redundancy is defined 
as the difference between the mean codeword length and the source entropy). 
Furthermore, arithmetic coding may easily be applied to sources with unknown 
statistics, when being combined with adaptive models in an adaptive coding 
scheme (see, e.g., [9,10,11,12]). 

The main problem in linking arithmetic coding with adaptive models is the 
following. All known adaptive models provide some estimate of the actual prob- 
ability p{ai) for each letter ai over a source alpabet A. But arithmetic coding 
is based on cumulative probabilities q{ai) = Since probability esti- 

mates change after each coded symbol, cumulative probabilities must always be 
re-computed. This requires about |A|/2 operations per symbol, where |A| denotes 
the size of the alphabet, which affects the speed of coding. The reduction of the 
coding speed becomes the more noticeable as the alphabet size increases. From 
this point of view, the alphabet of 2® = 256 symbols, which is commonly used in 

* Supported by the Russian Foundation of Basic Research under the Grant no. 99- 01- 
00586 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 270-279, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




Fast and Space- Efficient Adaptive Arithmetic Coding 



271 



compressing computer files, may already be treated as a large one. With adop- 
tion of the Unicode the alphabet size will grow up to 2^® = 65536 and become 
sufficiently large to prevent any direct computation of cumulative probabilities. 
In this paper, we suggest an algorithm that computes cumulative probabilities 
in 0(log |yl|) time, which is exponentially less than for known methods. 

To obtain a specified (arbitrarily small) model redundancy, denoted hence- 
forth by r, we use an adaptive scheme with sliding window. The sliding window 
scheme possesses many useful properties and the only disadvantage, that has so 
far prevented its wide usage, is the necessity to store the entire window in the en- 
coder (decoder) memory. In obtaining arbitrarily small redundancy, the memory 
allocated to the window becomes a dominating part in space complexity of the 
encoder and decoder, which thus grows as 0(l/r). To remedy this disadvantage 
we use a type of the scheme called “imaginary sliding window” (the concept of 
which was presented in [13]). This approach allows to preserve all the properties 
of sliding window without storing the window itself. 

The space complexity (S') and time complexity (T) of the proposed method 
in case of a memoryless source, seen as functions of two variables, the alphabet 
size |A| and redundancy r, are upper bounded by the following estimates: 

S < const TjAl log J bits. 



T < const 




Ml Ml 

log I A| + log log — ^ log log log — 
r r 



bit operations 



(here and below log x = log 2 x and const denotes some (different) constants 
greater than 1). Generalizations toward Markov or tree sources are straightfor- 
ward and can be done by known techniques. 

The paper is organized as follows. In Sect. 2 we consider the problem of 
combining a conventional sliding window scheme with arithmetic coding. We 
describe a method for fast operation with cumulative probabilities and investi- 
gate its complexity. In Sect. 3 we present an imaginary sliding window scheme 
which dispenses with the need for storing the window. 



2 Fast Coding Using Sliding Window 

Let there be given a memoryless source generating letters over the alphabet 
A = -ai,a 2 , . . ■ ,a„— with unknown probabilities p{ai),p{a 2 ), . . . ,p{an)- Let the 
size of the alphabet be a power of two, n = 2™ (it is not a restrictive assumption, 
because, if n < 2™, the alphabet may be expanded with 2™ — n dummy symbols 
having zero probability with trivial modifications of the algorithms). Let the 
source generate a message x\ . . . xi^ixi . . . , Xi — A for all i. The window is 
defined as a sequence of the last w symbols generated by the source, where 
w denotes the size of the window. At the moment I the window contains the 
symbols xi^w . . .xi^ 2 Xi-i. During encoding (or decoding), the window “slides” 
along the message: as a novel symbol is introduced in the window, the oldest one 




272 



Boris Ryabko and Andrei Fionov 



is removed. Each letter ai — A \s assigned a counter a of size t = -log(ie + n) — 
bits that contains a number of occurences of ai in the current window plus 1 
(to prevent zero probability). In these settings the sum of all counters is equal 
to the window size plus the alphabet size, Y^=i Ci = w + n and the estimates 
of the symbol probabilities p{ai), p{a 2 ), . . • , p{an) may be obtained as p{ai) = 
Ci/{w + n) for all i. 

Denote the novel symbol to be encoded by u and the oldest symbol stored in 
the window, to be removed, by v (at the moment I, u = xi and v = xi-u,)- The 
adaptive encoding of the symbol is performed as follows: encode u according to 
the current estimated probability distribution {p{u) = c{u) / (w + n)); decrement 
counter c{v) corresponding to the letter v; remove v out of the window; increment 
counter c{u) corresponding to the letter u; introduce u in the window. The 
decoder, provided that it starts with the same counter contents as the encoder, 
decodes the symbol according to the current probability estimates and updates 
the counters in the same way as the encoder. 

Encoding of a symbol given an estimated probability distribution may effi- 
ciently be carried out by means of arithmetic coding (see [7,8] for more details). 
This technique, however, requires that cumulative range [Qi, Qi+i) be specified 
for the symbol u = Ui, where Q are defined as follows: 

Qi = 0 , Qi = ^Cj, 1 = 2 , 3, ...,n + 1 . ( 1 ) 

j<i 

The direct calculation of Q using (1) requires 0{tn) bit operations. Below we 
describe a method that allows to reduce complexity down to O(tlogn). 

Let us store not only the counters (denote this vector by C^), but also the 
sums of successive pairs of counters (C^), the sums of successive quadruples 
(C^), and so on. Eor example, if n = 8 , we need to store the following vectors 

= (ci, C 2 , C 3 , C 4 , C 5 , C 6 , C 7 , Cg) , 

= ((ci + C 2 ), (C 3 + C 4 ), (C 5 -f Ce), (C 7 -f Cg)) , 

= ((ci + C 2 + C 3 + C 4 ), (C 5 -b C 6 + C 7 + Cg)) . 

By using C the values of, e.g., Q 4 and Qg can be computed as 
Qi = Cl + C 2 + C 3 = Cl + C 3 , 

Q% = Cl + C 2 H h C‘7 = Cl + C *3 + C*Y . 

It is easily seen that computation of any Qi, i = 2,3, ... ,8, requires to sum up 
at most 3 = log 8 t-bit numbers. 

In general case, we store vectors , C^, . . . , C™, m = logn, which requires 
( 2 n — 2)t bits of memory. Let us show how to compute Qk+i, k = 1 , 2 , . . . ,n 
(recall that Qi = 0). Let k have a binary expansion kmkm-i . . . fci, where each 
fci = 0 or 1. Then 



Qk+l — kmC 2k/n T 



ik/n 



+ km-2C' 



8k/n 




Fast and Space- Efficient Adaptive Arithmetic Coding 



273 



(note that only those Cj for which ki = \ are included in the computation). This 
sum has at most m = logn t-bit addents, therefore the complexity of computing 
cumulative counts is O(tlogn) bit operations. 

When incrementing or decrementing counters in the adaptive scheme, all 
the elements of the vectors which depend on those counters should also be 
incremented or decremented. More exactly, incrementing (decrementing) Ck = 
C], must be accompanied by incrementing (decrementing) C^k /2 > 

(7™/(^/2) , which requires also O(tlog n) bit operations. To increment, e.g., C3 
(n = 8) we must increment not only but also and Cf. 

Finally, the last operation which relies on cumulative counts is finding an 
interval I{z) = [Qi, Qi+i) that contains a given number z (and the letter u = ai 
to whom this interval corresponds). This problem arises in arithmetic decoding. 
Let us show how one can solve this problem using the vectors C in O(tlogn) 
time. First compare z with C™. If z < CJ" then the target interval lies within 
[0, C™), otherwise it belongs to [C™, {w + n)). Go on comparing z with in 

the former case, and with (CJ" + C™“^) in the latter, which determines one of the 
intervals [0, Cf), Gf TCg™-^), or + {w + n)). 

After m = log n steps we obtain an interval corresponding to one letter. 

The following theorem establishes the computational complexity of the pro- 
posed adaptive scheme as function of two arguments, the alphabet size n and 
redundancy r. 



Theorem 1 Let there be given a memoryless source generating letters over an 
alphabet of size n. Let the adaptive scheme based on sliding window and arith- 
metic coding be applied to the souree providing a specified redundaney r. Then 
the memory size of the eneoder (decoder) S and encoding (decoding) time T are 
given by the estimates 



n , n 

— log n + n log — 
r r 



S < const 

( Tl / Ti 

log — ^log n + log log — log log log 



( 2 ) 

( 3 ) 



Proof. The redundancy r consists of two parts: the one caused by replacing 
unknown symbol probabilities by their estimates, denote it by rm (model re- 
dundancy), and the other caused by the encoder, denote it by rc (coding redun- 
dancy), r - rm + rc • 

It is known (see, e.g., [14]) that for the sliding window scheme rm < constn/rc. 
For arithmetic coding rc < constnr2“^ [8], where r is an internal register size 
which must be 0{t), say, r = t + logt + const. For t we have log(tc + n) — t < 
log(w + n) + 1. So we easily obtain that rc < constn/w. Hence, r < constn/u; 
and w < constn/r. 

The memory size of the encoder and decoder is caused by the necessity to 
store the window, which requires wlogn < const(n/r) logn bits, the vectors C , 
which requires {2n — 2)t < constnlog(«; + n) < constn log(n/r) bits, and internal 
registers for arithmetic coding, which requires 0{t) < constt < const log(n/r) 
bits. Summing up dominating complexities gives (2). 




274 Boris Ryabko and Andrei Fionov 



The coding time per symbol is determined by the computations over the vec- 
tors C , which requires 0(t logn) < const log(n/r) logn bit operations, and the 
computation of ranges in arithmetic coding, which uses r-bit multiplication and 
division, which, in turn, requires 0(r log r log log r) bit operations [8]. Taking 
into account r < const log(n/r) and summing up gives (3). — 

Corollary 1 If n is increasing and r is to remain constant then 

S = 0(n log n) , 

T = 0(log2 n) . 

The time estimate is better than that for known methods (where T = 0(n log n)). 
Corollary 2 If n is fixed and r ^ 0 then 
S = 0{l/r) , 

T = 0(log(l/r)loglog(l/r)logloglog(l/r)) . 

In the next section we show how to improve the memory size estimate to 
0(log(l/r)) implementing the concept of imaginary sliding window. 

3 Imaginary Sliding Window 

Let there still be given a memory less source defined in Sect. 2. We also use 
the same notions of the window, counters and probability estimation. Denote, 
additionally, by Vi the number of occurences of the letter Ui — A in the current 
window, = Ci — 1 for all i. Define ^ to be a random variable taking on values 
1, 2, . . . , n with probabilities 

Pr-^ = i-=—, i = l,2,...,n (4) 

w 

(the problem of generating such a variable will be considered further below). 

The encoding of the novel symbol u is performed as follows: encode u ac- 
cording to the current estimated probability distribution {p{u) = c{u) / {w + n)); 
generate a random variable decrement counter c^, i.e., the counter correspond- 
ing to the ^th letter of the alphabet A; increment counter c{u) corresponding to 
the letter u. 

A distinctive feature of this scheme is that a randomly chosen counter is 
decremented rather than a counter corresponding to the oldest symbol in the 
window. In this scheme, the context of the window is not used, therefore storing 
the window is not needed, which saves w log n bits of memory. But a question 
arises whether this scheme is able to represent the source statistics with the 
precision sufficient to guarantee a specified redundancy? So the next our task 
is to show that it is, more exactly, we show that the estimated distribution 
provided by imaginary sliding window converges with exponential speed to the 
distribution provided by real sliding window. 




Fast and Space- Efficient Adaptive Arithmetic Coding 



275 



Denote by A the set of all vectors A = (Ai, . . . , A„) such that all Ai are non- 
negative integers and Xir=i is clear that in case of real sliding window 

= (zvi, . . . , /v„) is a random vector that obeys the multinomial distribution 




(see, e.g., [15]). 

In case of imaginary sliding window, i/ = (ci — 1, . . . , c„ — 1) is also a random 
vector whose distribution is a question to be answered. We shall indicate by 
superscript I the state of vector after the 1th encoded symbol, i.e., in the 
process of coding vector i/ assumes the states ... .. . The next theorem 

decides on the distribution for and shows that imaginary sliding window is a 
sufficiently precise model of real sliding window. 



Theorem 2 Let there be given a memoryless souree generating letters over the 
alphabet A = -ai , . . . , On — with probabilities p{ai), . . . ,p{an); the imaginary slid- 
ing window seheme is used with the window size w. Then 



lim Pr-z/( = Ai, 1^2 = "^2 



Ai, A 2 , . . . , Ar 






(6) 



2=1 



the limit in (6) exists for any initial distribution = (n^,. . . and there 
exists a eonstant C < I, independent of (Ai, . . . , A„) and {nf , . . . , sueh that 



Pr-i/{ = Ai,4 = A2,---,vI 




<CK (7) 



Proof. Define a Markov chain M with A states, each state being correspondent 
to a vector from A (informally, each vector 1 / = (z^i, . . . , of imaginary sliding 
window has a corresponding state in M). A transition matrix for M is defined 
as follows: 



\i 

—p{ai), 

w 



-Pai A2 = 




if >\ = +1. ^j= - 1, * ^ J, 

= K’ k^j ; 

if A^ = A2 ; 
otherwise . 



( 8 ) 



This probability matrix corresponds to transition probabilities of imaginary slid- 
ing window. The first line in (8) corresponds to the case when the jih coordinate 
of the vector is decremented by 1, and the fth coordinate is incremented by 




276 



Boris Ryabko and Andrei Fionov 



1, which means introducing the letter Ui in the window, which, in turn, occurs 
with probability p{ai). The second line in (8) corresponds to the case when the 
vector remains intact. This happens if a coordinate is first decremented 
(with probability i^]^/w) and then incremented (with probability p{ak))- 

The chain M has a finite number of states and is plainly seen to be non- 
periodical (see, e.g., [15]). Consequently, there exist limiting probabilities for M, 
i.e., such TTx that for any fi,X — A there exists the limit 



lim x{l) = 



(9) 



independent of /i (here \{l) denotes the probability of transition from to 
A in I steps, I — 1). 

It is known (see [15]) that limiting probabilities satisfy the system of equa- 
tions 

tta = E A, X-A, 

fj. A 

E tta = 1 ■ 

A A 



Next we show that for any A = (Ai, . . . , A„) — A 

n 



7TA = 



w 

Ai, A 2 , . . . , Ar 



2=1 



To do this, put (11) and (8) in (10). As a result, 

n 



w 

Ai, A 2 , . . . , Ar 



2=1 



n n 

E E 

2=1 j = l,j=t 



Ai, . . . , A^ 1, . . . , A 7 “h 1 • • • A7 



^i=i 
n 

E 



aE P(«i) + 1 



p{ai 



w 



-p{ai) 



k=l 



w 

Ai 5 A 2 , . . . , Xj 



2=1 



( —pm 



Put the equality 



w 

1 5 • • ■ ) Aj T 1 ... A 

in (12) and after simple transpositions obtain 
Ai p{aj)\ ( Xj + I 



w 






n n 



E E 

1=1 



Xj + 1 p{c 



p{ai 



Al, A 2 , . . . , Xn) Xj + 1 



^ —p{ak) = 1 
fc=i 



(10) 



( 11 ) 



(12) 




Fast and Space- Efficient Adaptive Arithmetic Coding 



277 



Consequently, (11) is the solution of (10). Taking into account the definition (9) 
obtain (6). 

The second statement of the theorem may be easily obtained from the general 
proposition on exponential speed convergence to a limiting distribution (see [15]) 
(this requires that a Markov chain should satisfy certain conditions which is 
easily checked in our case). — 

From the first proposition of the theorem it follows that imaginary sliding 
window behaves asymptotically just like as real sliding window or, more exactly, 
the distribution of approaches, as I increases, the distribution (5) 

of the numbers of occurences of the letters ai, . . . , a„ in the real window. From 
the second proposition it follows that in case of change in the source statis- 
tics at the moment I, the distribution of , ■ ■ ■ , converges to the new 
distribution as S increases being thus considered as an initial dis- 

tribution). Therefore, applied to memoryless sources, imaginary sliding window 
has the same properties as real sliding window, namely, it allows to estimate the 
source statistics quite precisely and adapts fast if the statistics change. 

Let us now consider the problem of generating random variable Assume 
that the only source of randomness is a symmetric binary source generating a 

sequence Z\Z 2 . . . Zk ■ ■ ■ , where each zk 0, Pr— Zfc = 0— = Px—zk = 1— = 

1/2, and all symbols are independent. We do not consider here the complexity 
of obtaining random bits. Our aim is to convert a random bit sequence into 
a random variable ^ with probability distribution (4). Denote by ^ a random 
number built from s = Tog re— random bits, i.e., the binary expansion of 2 ; is 
ziZ 2 ■ ■ - Zs- It is plain that z may take on any value from -0, 1, . . . , 2* — 1 — with 
probability 1/2®. It is also plain that, for any w < 2®, the process of generating 
z until z < w produces a random variable 2 ;^ that takes on any value from 
-0, 1, . . . , tc — 1— with probability l/w. Since w > 2®“^, less than 2 iterations are 
required on average. 

Define 



01=0, = i = 2,3, . . . ,n+ 1, {On+i=w). 

j<i 



Consider a random variable ^ over -0,1, . . . ,w — 1— such that ^ = i iS 0i — z < 
01+1 . It can be easily found that 



Pr-^ = 1— = Pr-01 — 2: < 01+1—= 



0j+i ~ 0j 

w 



w 



This is our intended distribution (4). 

To implement this procedure notice that finding 0i and 0i+i given 2 ;“ is the 
same process as finding an interval and a correspondent symbol in arithmetic 
decoding (which has been described in Sect. 2). Hence, this procedure may be 
efficiently performed by using the data structure defined in Sect. 2. The only 
difference is that the values Vi are less by one than counters ci involved in the 
construction of C . This may be easily checked by substracting 2^^^ from Cj 




278 



Boris Ryabko and Andrei Fionov 



in the process of finding a relevant interval. So, generating ^ does not increase 
the the order of complexity of the method. 

The results obtained in this section are summed up in the following 

Theorem 3 Let there be given a memoryless souree generating letters over the 
alphabet A = -ai, 02 , . . . , a„— . Let the adaptive seheme based on imaginary slid- 
ing window and arithmetie coding be applied for encoding symbols generated by 
the source. Then the memory size of the encoder (decoder) S and encoding (de- 
coding) time T are given by the estimates 

S < const ^ulog— ^ , (13) 

( Tl / Tl Tl \ \ 

log — ^logn + loglog — logloglog — j j . (14) 

So the time complexity of adaptive coding using imaginary sliding window is 
essentially the same as in case of real sliding window, while the space complexity 
is less in order of magnitude because the window is not stored (we eliminate the 
term (n/r)logn in (2)). 

Let us give some remarks, without any strict considerations, about the ways 
of obtaining random bits Z 1 Z 2 ■ ■ ■ Zk ■ ■ ■ ■ To maintain the imaginary sliding win- 
dow these bits are to be known to both the encoder and decoder. A usual way 
to solve the problem is to use synchronized generators of pseudorandom num- 
bers. We suggest an additional way, namely, using the bits of the code sequence 
(maybe, with some simple randomizing permutations). The ground for this pro- 
posal is that the compressed data are almost random, more exactly, the code 
sequence approaches a sequence of uniformly distributed code letters as the cod- 
ing redundancy decreases. The encoder and decoder may use a part of already 
encoded message for producing random numbers. It is important that the code 
sequence is known to both the encoder and decoder and they need to store only 
a small current part of it. This way of obtaining random numbers may occur to 
be easier than using separate generators. 

References 

1 . Jelinek, F.: Probabilistic Information Theory. New York: McGraw-Hill (1968) 476- 
489 

2. Rissanen, J. J.: Generalized Kraft inequality and arithmetic coding. IBM J. Res. 
Dev. 20 (1976) 198-203 

3. Pasco, R.: Source coding algorithm for fast data compression. Ph. D. thesis. Dept. 

Elect. Eng., Stanford Univ., Stanford, CA (1976) 

4. Rubin, F.: Arithmetic stream coding using fixed precision registers. IEEE Trans. 
Inform. Theory 25 , 6 (1979) 672-675 

5. Rissanen, J. J., Langdon, G. G.: Arithmetic coding. IBM J. Res. Dev. 23 , 2 (1979) 
149-162 

6. Guazzo, M.: A general minimum- redundancy source-coding algorithm. IEEE 
Trans. Inform. Theory 26 , 1 (1980) 15-25 




Fast and Space- Efficient Adaptive Arithmetic Coding 



279 



7. Witten, I. H., Neal, R., Cleary, J. G.: Arithmetic coding for data compression. 
Comm. ACM 30 , 6 (1987) 520-540 

8. Ryabko, B. Y., Fionov, A. N.: Homophonic coding with logarithmic memory size. 
Algorithms and Computation. Berlin: Springer (1997) 253-262 (Lecture notes in 
comput. sci.: Vol. 1350) 

9. Rissanen J., Langdon G. G.: Universal modeling and coding. IEEE Trans. Inform. 
Theory 27 , 1 (1981) 12-23 

10. Cleary, J. G., Witten, I. H.: Data compression using adaptive coding and partial 
string matching. IEEE Trans. Commun. 32 , 4 (1984) 396-402 

11. Moffat, A.: A note on the PPM data compression algorithm. Res. Rep. 88/7, Dep. 
Comput. Sci., Univ. of Melbourne, Australia, 1988. 

12. Willems, F. M. J., Shtarkov, Y. M., Tjalkens, T. J.: The context-tree weighting 
method: Basic properties. IEEE Trans. Inform. Theory 41, 3 (1995) 653-664 

13. Ryabko, B. Y.: The imaginary sliding window. IEEE Int. Symp. on Information 
Theory. Ulm (1997) 63 

14. Krichevsky, R.: Universal Compression and Retrieval. Dordrecht: Kluwer Academic 
Publishers (1994) 

15. Feller, W.: An Introduction to Probability Theory and Its Applications. New York: 
Wiley & Sons (1970) 




Robust Protocol for Generating Shared RSA 

Parameters 



Ari Moesriami Barmawi, Shingo Takada, and Norihisa Doi 



Department of Computer Science, 

Graduate School of Science and Technology, Keio University, 
3-14-1, Hiyoshi, Yokohama 223, Japan 
{ari, michigan, doijOdoi . cs .keio . ac . jp 



Abstract. This paper describes how n parties can jointly generate the 
parameters for the RSA encryption system while being robust to pre- 
vent attacks from cheaters and malicious parties. The proposed protocol 
generates a public modulus number, without the parties knowing the 
factorization of that number. Our proposed protocol is similar to that of 
Boneh- Franklin’s protocol. However, when there are two communicating 
parties our proposed protocol does not need the help of a third party. 
By using our proposed protocol, we can detect the presence of mali- 
cious parties and cheaters among the authorized user. An analysis shows 
that our proposed protocol has less computational complexity than the 
protocol of Frankel-MacKenzie-Yung. 



1 Introduction 

There are several cryptographic protocols that require an RSA modulus number 
for which none of the communicating parties know the factorization (such as 
[6], [7], [8], [9]). Therefore, it becomes necessary for the parties to jointly generate 
the RSA parameters (i.e. modulus number , public key and secret key). Boneh 
and Franklin have proposed a protocol for generating shared RSA parameters 
[1]. However, their protocol is weak against malicious parties (i.e., attackers 
who can view the servers’ memory at any moment, hear the messages which are 
broadcast and inject his own messages [2]) and cheaters (i.e., authorized parties 
who cheat during the protocol, e.g., cheating which cause a non-RSA modulus 
to be incorrectly accepted and resulting in the factor of the modulus number 
being found [4].) 

To overcome this problem, many robust protocols for generating RSA pa- 
rameters have been proposed such as those of Frankel-MacKenzie-Yung [2] and 
Malkin- Wu-Boneh [4]. These protocols have a quite high computational and 
communication complexity. 

We propose a protocol for generating shared RSA parameters among par- 
ties. Our protocol is similar to that of Boneh-Franklin’s but when there are two 
communicating parties, it does not require any help of a third party. Our pro- 
tocol also takes into account robustness against malicious parties and cheaters, 
with computational complexity lower than Frankel-MacKenzie- Yung’s. 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 280-289, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




Robust Protocol for Generating Shared RSA Parameters 281 



Section 2 describes, our proposed protocol. Section 3 then gives an analysis 
in terms of security. Section 4 compares our approach with previous ones and 
section 5 makes concluding remarks. 

2 The Proposed Protocol 

This section gives an overview of our protocol and the details of each procedure, 

i.e., the generation of a modulus number, the generation of the shared keys and 
the recovery of the encrypted message. 

2.1 Overview 

For simplicity, we will call party as . Suppose that all parties (for = 
1 ) wish to generate shared RSA parameters. After the execution of our 

proposed protocol, the RSA modulus number and the encryption key are 
publicly known, while the decryption key will be shared among the parties 
in a way which enables threshold decryption. All parties should be convinced 
that is indeed a product of two prime numbers, but neither party knows the 
factorization of 

Our protocol is based on the procedure proposed by Boneh and Franklin. 
Besides, it is also similar to Cocks’ [5], but 

we have extended Cock’s algorithm to improve computational efficiency and 
generalized it to handle more than two parties without weakening the protocol’s 
security. 

Our proposed protocol consists of the following three procedures: 

1. The generation of RSA modulus number (where is a product of two 
prime numbers and ). No party knows the factorization of 

2. The generation of shared decryption key for a given encryption key . 

3. The recovery of an encrypted message. 



2.2 The Generation of Modulus Number N 

Our proposed protocol determines based on a set of secret numbers that all 
parties have. Each party has two secret numbers and and the two prime 

numbers are defined as = ( i + 2 + + ) and = ( ^ + 2 + + )• 

The procedure for generating the modulus number consists of two sub-pro- 
cedures: 

1. Generation of 

2. Primality testing of 

The Generation of N is performed based on Protocol lA (Figure 1) as follows: 

1. All parties have to agree on the length of modulus number in advance. 

2. Each party chooses three large prime numbers , and (where the 

size of is a few digits greater than the size of and the size of is 
greater than a half of the size of ), a number which is greater than 2, 

an odd number where ( ) = Ij and ’s secret numbers and 

. We assume that and must be congruent to 3 mod 4. Eurthermore, 
each party : 




282 



Ari Moesriami Barmawi, Shingo Takada, and Norihisa Doi 



— First, calculates (i) = ( )( ’( ) ’mod and then (i) — 

( ) (i)mod 

— Caleulates (2) = ( )( )^~ ’( )~ ’mod and then (2) ~ ( ) (2) 

mod 

— Caleulates (3) = ( )( ’mod and then (3) — ( (3) 

mod 

Then, calculates ( (i) )> ( (2) ) and ( (3) 

). If those values have at least two large prime factors then broad- 
casts (1) (2) and (3) along with . Otherwise has to choose 

another and repeat step 2. 

3 . Each party +1 sends 

(1) - ( (1) +1+ (2) +1+ (3)( +1 +i))mod 

4 . Each party broadcasts (2) = (i) + (2) mod for = 

1 2 and = — 1 (e.g. suppose = 5 , = 5 , then 5 has to 

broadcast 15(2), 2 5(2)> 35(2))- 

5 . Each party sends (3) where 

( 3 ) = ( 3 )[( + 1 + +1 + +1 +l)+ ^ ( + )] 

fc = l; 

mod 

for =12 = -|- 1 (e.g. if = 2 , = 5 , then =14 5 . This means 

that 2 has to send 12(3) to 1, 42(3) to 4, 52(3) to 5). 

6. Each party can calculate the RSA modulus number using the following 
equation: 

-( )’ -mod [[ (i)+ (2)+ Z] 

j = i; .7 = 1; 

mod (( ) ) + mod 

The example for calculating will be described in Appendix A. 

7 . Einally each party calculates ( ) (where is any hash function that 
has been agreed upon by all parties in advance) and then broadcasts it. 

8. Each party then compares the ( ) sent by other parties and the ( ) that 
he just calculated. If all values are equivalent, then all parties will agree on 

as their RSA modulus number. Otherwise, they will repeat the procedure. 

After generating the modulus number , all parties have to test whether is a 
product of two primes and and to prove that these primes are those used in 
the primality test to detect the presence of a cheater and/or a malicious party. 
We use the primality test proposed by Boneh and Franklin [ 1 ] with additional 
steps for detecting cheaters and malicious parties. The procedure is as follows: 

1 . All parties agree on a number , where the Jacobi symbol of over or 
must be 1, i.e., ( ) = 1- 



( 3 )] ] 

( 1 ) 




Robust Protocol for Generating Shared RSA Parameters 283 



Message l.Ui -► * : XiY^5i, F^s) 

Message 2. Ui+i-*- Ui : Zi(i) 

Message 3. Uj -► * : 

Message 4. Uj Ui : 

Message 5. Ui -► * : H{N) 

Fig. 1. Protocol lA 



2. Each party calculates 

- ( 1 ) — ‘^mod , 

- (2) - ^ "^mod , 
and exchanges these results. 

Each party can verify whether a party is malicious using the following 
procedure: 

— Each party chooses any integer and then calculates 

= ( j(i)+ j(2)) iUiod i i i ^2) 

where the value of (i) and ( 2 ) is shown in step 2 of Protocol lA. 
Then, he broadcasts for =12 ; = . 

— Each user calculates 

= ( )( ,n(,n mod . . . jnod (3) 

and 

= ( ( 2 ))^^“°'^ ■ ‘ ^ mod (4) 

and broadcasts for = 1 2 ■, = , along with 

— Finally, each user can verify whether is malicious or not using the 
following expression: 



= ( ) ■ “lod . , . (5) 

If this expression is NOT TRUE then is a malicious party or a cheater. 
If there is a malicious party or a cheater among the parties, then the 
protocol for modulus number generation should be repeated without 
including the malicious party or the cheater. 

3. Eurthermore, they verify that is a product of two primes using the follow- 
ing equation: 




284 Ari Moesriami Barmawi, Shingo Takada, and Norihisa Doi 



(i) = “[Il (2)] mod (6) 

j = l\ 

Each party may execute equation (6) for = 1 2 
4. If we consider = where = ( i) = ( 2 ) ^ and — 1 mod ( 1 )*^ 
then the above two steps will pass incorrectly. We thus have to check whether 
satisfies ( + — 1) 1. 

For calculating ( + — 1), we will use protocol IB^ (see figure 2). Each 

party hrst chooses his own number . Then they execute Protocol IB. 

Message l.Ui : Gri(i), Gi( 2 ), Gi(s) 

Message 2. Ui+r^ Ui : Id(i) 

Message 3. I/j -► * : Id,j( 2 ) 

Message 4. Uj Ui : Id.j( 3 ) 

Message 5. t/i -► * : H{w) 

Fig. 2. Protocol IB 

The definition of all variables used in Protocol IB is given below: 

- = + (except for = 1, = + — 1) 

- (1) = ( )( )( •( )■ ’mod 

- (2) = ( )( )( + ’( y ’mod 

- ( 3 ) = ( K )( )“ ’mod 

“ (1) ~ ( (1) + 1 + (2) +1+ (3)( +1 +i))mod 

“ ( 2 ) = ( 1 ) +1 + ( 2 ) +imod 

“ (3) = (3)[( +1+ +1 + +1 +l) + I] fc=i! ( + )] 

mod ( ) 

- for , , , and all parties can use the values used in Protocol lA 

with ( ) is the hash of . 

The execution of Protocol IB results in all parties jointly calculating 
= ( )“^( ) ■ ^ mod [[ ( 1 ) + (2) + XI (3)] ] 

i=i; j=i; 

mod ( ) + mod 

^ Details of Protocol IB is similar to Protocol lA, and will be omitted due to space. 




Robust Protocol for Generating Shared RSA Parameters 285 



Then calculating = mod . According to Boneh-Franklin [1], ( ) = 

( ). Thus, if all parties can verify that ( ) 1, they will reject this 

number. 

Unfortunately, this test will also eliminate a few valid numbers i.e. moduli 
= , for = 1 mod . We do not describe the protocol for testing whether 

is a valid number , but it is similar with the test for two parties which was 
described in [12]. 

2.3 The Generation of Shared Public/Secret Keys 

We now describe the procedure for generating public/secret keys. Suppose all 
parties have successfully calculated . Then, they will jointly generate shared 
decryption key , where = X] =i mod ( ) for some agreed 

upon value of . Each party will have its own decryption exponent . For 
generating the keys, we will use the method proposed by Boneh and Franklin [1] 
but without the help of a third party. 

The procedure for generating shared keys are as follows: 

— Each party broadcasts ( + ) mod . 

— Each party calculates — ( ) mod which is congruent to [(X^ ) + 

(E =1 ) - - 1] mod . 

— Since ( ) and are relatively prime, then all parties can calculate 

7 = — ( ( mod . 

— Thus, = 1 + ( ( ))( 7 ) and 

i + ( +i-(e:i( +( ))))(7) ( 7 ) 

Each party’s decryption key , is calculated according to the following pro- 
cedure: 

— Let 7 ( + 1) — 7 ( + ) mod — mod . Each party (except for 

= 1) broadcasts . i broadcasts i= + 7 ( +1)— 7 ( 1 + 1 ) mod 

— Each party calculates 

= + ^(7( + 1) - 7( + )) mod = ^ mod 

=1 =1 

— If =0 then execute the following procedure 1: 

1. 1 calculates 1 = +( +Lt- t( 1 + 1 ) ^ 

2. For — — , calculates = ( + 1 ) 7 - t( i+ i) _ 

3. For - , calculates = ( +L 7 - 7( .+ .) _ 

— If =0 then 

1. 1 executes step 1 of procedure 1. 

2. For 2— execute step 2 of procedure 1. 

3. For — 2— execute step 3 of procedure 1. 

For verifying that the key generation is done successfully, all parties have to 
agree on a message in advance, then each party has to sign this message 

using his own decryption key and broadcast the signed message. Furthermore, 
each party multiplies all signed messages and decrypts it with the public key. th 




286 Ari Moesriami Barmawi, Shingo Takada, and Norihisa Doi 



3 Security Analysis 

In this section we will analyze the ability to calculate the factors of modulus 
number , and also summarize the security requirements. 



3.1 Ability for Finding Factors of N 

Since the strength of our proposed protocol is on breaking the modulus num- 
ber , we will analyze how far the messages which a party obtained will leak 
information for obtaining other party’s secret number and 

First, we will analyze each message of the protocol for generating (Protocol 
lA). Assume that each party only saves , while , , , and have 

to be destroyed or changed after a round of executing Protocol lA. Message 1 
contains numbers which are functions of , , , , , and . There are 

three ways to obtain the values of and by other parties: 

— Other parties can obtain and iff they can find the inverse of the function 

(3) since the product of (( (s))”^ mod ) and ( (i) mod ) is 

( mod ) and the product of (( (3))“^mod ) and ( (2) mod 

) is mod . There is no possibility of calculating the multi- 
plicative inverse of (3) since and (3) are not relatively prime. 

— Other parties can obtain and by finding the factors of because 

if they knew , then they can find ( (i) mod ), ( (2) mod ) 

and ( (3) mod ). This means that they can find the multiplicative 

inverse of ( (3) mod ). Thus, they can obtain and by multi- 
plying ( (1) mod ) and ( (2) mod ) with the multiplicative 

inverse of ( (3) mod ). As described above, only is saved by 

. Thus, the possibility of obtaining and is equal to the possibility of 
factoring 

— and can also be obtained by calculating ( (i) )i ( (2) 

) and ( (3) )• From these processes they can obtain and 

furthermore obtain , . But, since (i), (2) and (3) have at least two 

large prime factors, it is still hard to obtain 

Since messages 2, 3 and 4 contain functions which have more than three unknown 
variables, then there are no possibility of obtaining and from these messages. 

Even if a malicious party or a cheater who can corrupt is still difficult for 
them to pass our proposed protocol correctly, since to pass the protocol they 
have to find the faetors of which is not saved in the memory of 



3.2 Security Requirement 

Based on the above discussion, there are a few conditions that need to be sat- 
isfied to keep the factors of modulus number secret. These conditions can be 
summarized as follows: 




Robust Protocol for Generating Shared RSA Parameters 287 



— All parties have to determine the length of modulus number in advance. 

— Each party has to choose the length of to be a few digits longer than 
the length of 

— Each party has to choose the length of and such that the length of 

is about the length of 

4 Comparison with Other Protocol 

Protocols have been proposed for jointly generating RSA parameters, such as 
Boneh-Eranklin and Erankel-MacKenzie-Yung for parties and Cocks and 
Poupard-Stern [3] for two parties. 

Since our proposed protocol is for parties, then we will compare it with the 
protocol of Boneh-Eranklin [1] and Erankel-MacKenzie-Yung [2]. 

The benefit of our proposed protocol compared with Boneh-Eranklin is that 
when there are two communicating parties, our protocol does not need any third 
party for calculating the modulus number as well as the keys. 

The probability of generating an RSA modulus number from two random 
primes of bits each is about ( which means that we will have about 

^ rounds. Each round will have computational complexity about 12 modular 
exponentiations and communication complexity is about (10 — 3). Thus, the 
computational complexity is about less than a third compared with the protocol 
of Erankel-MacKenzie-Yung (which is 24 ( +1)). Another benefit of our pro- 
posed protocol is that the communication complexity does not depend on the 
size of 

5 Conclusion 

We have proposed a protocol for jointly generating parameters in RSA encryp- 
tion. When there are two communicating parties, our protocol does not need 
the help of a third party, and it has less computational complexity compared 
with previous protocols. The advantage of our proposed protocol is that the 
communication complexity does not depend on the size of 

References 

1. Boneh, D. and Franklin, M.: Efficient Generation of Shared RSA Keys. Advances 
in Gryptology-Grypto ’97. Lecture Notes in Computer Science. Springer Verlag 
(1997), 423-439. 

2. Prankel, Y., MacKenzie,P. D.,Yung, M.: Robust Efficient Distributed RSA-Key 
Generation. Proceedings STOC 98. ACM (1998). 

3. Poupard, G. and Stern, J.: Generation of Shared RSA Keys by Two Parties. Pro- 
ceedings of ASIACRYPT 98. Lecture Notes in Computer Science. Springer Verlag 
(1998), 11-24. 

4. Malkin, M., Wu, T. and Boneh, D.: Experimenting with Shared Generation of 
RSA Keys. Proceedings of Internet Society’s 1999 Symposium on Network and 
Distributed Network Security, (1999). 




288 Ari Moesriami Barmawi, Shingo Takada, and Norihisa Doi 



5. Cocks, C.: Split Knowledge Generation of RSA Parameters. Proceedings of 6tli 
International Conference of IMA on Cryptography and Coding. Lecture Notes in 
Computer Science. Springer Verlag (1997), 89-95. 

6. Feige, U., Fiat, A. and Shamir, A.: Zero- knowledge Proofs of Identity. Journal of 
Cryptology, 1, (1988), 77-94. 

7. Fiat, A. and Shamir, A.: How to Prove Yourself: Practical Solution to Identification 
Problems. Crypto ’86. Lecture Notes in Computer Science (1986), 186-194. 

8. Ohta, K. and Okamoto, T.: A modification of Fiat-Shamir scheme. Crypto ’88. 
Lecture Notes in Computer Science. Springer Verlag (1988), 232-243. 

9. Ong, H. and Schnorr, C.: Fast Signature Generation with a Fiat- Shamir- like 
Scheme. Eurocrypt ’90. Lecture Notes of Computer Science. Springer Verlag (1990), 
432-440. 

10. Rivest, R. L., Shamir, A. and Adleman, L.: Method for Obtaining Signatures and 
Public- Key Cryptosystems. Communication of the ACM (1978). 

11. Schneier, B.: Applied Cryptography: Protocols, Algorithms, and Source Code in 
C. John Wiley and Sons (1994). 

12. Barmawi, A. M., Takada, S., Doi, N.: A Proposal for Generating Shared RSA 
Parameters. Proceeding of IWSEC 99, September, 1999. 



A Calculating N by Each User 



Here we will simulate how a party can calculate the modulus number using 
all information that it has obtained. Suppose = 1 , = 5 , then i can calculate 

using equation (1) as follows: 



- ( i) ^( i) ^ mod 
mod (( 111) i) + 



1 1 [[ 1 ( 1 ) + 

3 = 1; 

1 1 mod 1 1 



=5 

(2) + X] 1 (3)] 

j = i; 



( 8 ) 



Let 1 — ( i) ^( i) 1 1(1) 1, 2 — ( l) H l) ^ iHZ) =1+2 1 (2)) ) 

and 3 = ( i)^^( i) ' i'(E =2 1 ( 3 )) 1 - 

Then, equation 8 can be written as: 



= 1 + 2 + 3 mod 



( 9 ) 



Next, we will calculate i, 2 and 3 in detail. 



1 = ( 1) ^(1)^(1)^ 1(1) 

= ( i)-'( 1) U 1) M i( 1)'- H 1)- ^ 2+ i( 1)- U 1)'- ^ 2 + 
i( 1)" H 1)" ' 2 2] 

= 12 + 21 + 22 



2 2 



( 10 ) 




Robust Protocol for Generating Shared RSA Parameters 289 



=5 

2 = ( l) H l) n l) H X/ 1 (2)] 

i=i; 

-5 

= ( l)"H l) U l) HX! 1 (2)] 

=3 

= ( l) l) l) 4 13(2)+ 14(2)+ 15(2)] 

= 13+ 31+ 14+ 14+ 15+ 51 (11) 

=5 

3 = ( l)~H l) H l) 4 X] 1 (3)] 

j = i; 

1 , 5 

^4 

= ( i)“4 i) 4 i) 1 (3)] 

=2 

=5 

= ( l) l) 4 l) 4 1 1 ^ 1 4[“ 2 3 + 3 2 + 3 3 + ^ 2+2 

fc=l; 

^,<^1,2,3 

^5 

H 34+ 43+ 44+ 'Y2 3+3“ 

fc = l; 

fc7<il,2,3,4 

-5 

H 45+ 54+ 55+ 4+4 — 

fc=l; 

fc7<il,2,3,4,5 

= 23+ 32+ 33+ 24+ 42+ 25+ 52+ 34+ 43+ 44 

+ 35+ 53+ 45+ 54+ 55 (12) 

Thus, by using equations (10), (11), and (12), we can obtain: 

= 1 + 2 + 3 mod 1 1 

= [l2+ 21+ 22+ 13+ 31+ 14+ 14+ 15+ 51+ 23 

+ 32+ 33+ 24+ 42+ 25+ 52+ 34+ 43+ 44+ 35 

+ 53+ 45+ 54+ 55+ ll] mod i i 

= (l+ 2+ 3+ 4+ 5)(l + 2+ 3 + 4+ 5 ) mod 



1 1 



(13) 




Some Soft-Decision Decoding Algorithms for 
Reed-Solomon Codes 



Stephan Wesemeyer*, Peter Sweeney, and David R.B. Burgess 
Centre for Comm. Systems Research, University of Surrey, Guildford GU2 5XH, U.K. 



Abstract. In this paper we introduce three soft-decision decoding al- 
gorithms for Reed-Solomon (RS) codes. We compare them in terms of 
performance over both the AWGN and Rayleigh Fading Channels and 
in terms of complexity with a special emphasis on RS codes over IF le. 
The algorithms discussed are variants of well known algorithms for bi- 
nary codes adapted to the multilevel nature of RS codes. All involve a 
re-ordering of the received symbols according to some reliability mea- 
sure. The choice of reliability measure for our simulations is based on a 
comparison of three in terms of how they affect the codes’ performances. 



1 Introduction 

It is well known that one way of facilitating soft-decision decoding for linear block 
codes is to represent them by a trellis and apply the Viterbi algorithm (VA) to 
decode them. However, the complexity of the VA makes its use infeasible for all 
but a small number of linear codes. Because of the widespread use of RS codes, 
it would be highly desirable to find efficient soft-decision algorithms for them. 
Various approaches have been proposed (see [1] for a recent example). This paper 
introduces a further three. Our simulations were based around an AWGN and a 
Rayleigh fading channel with BPSK (binary-phase-shift-keyed) modulation and 
8-level uniform quantisation. Except in a very few cases with extremely long 
simulation runs, we based the results on 100 error events (word errors, not bit 
errors). Throughout the paper we denote by a finite field of g = 2* elements 
and assume an [n, k] linear code over Fg which can correct t errors. 

2 The Algorithms 

The Dorsch algorithm was proposed in [2] for binary codes and has more recently 
been applied by Fossorier and Lin [3] . Given a code of length n and dimension k 
the idea is to find k most reliable symbols whose positions are such that they can 
be used as an information set of the code. Various error patterns are added to this 
information set and each result is re-encoded. In each case, the distance of the 
obtained codeword from the received word is computed. Decoding stops as soon 
as we have a maximum-likelihood solution or the number of permitted decoding 

* The research was supported by an EPSRC grant. 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 290-299, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




Some Soft-Decision Decoding Algorithms for Reed-Solomon Codes 291 



tries has been exhausted (in which case the best solution up to that point is 
output). Our first two algorithms {A1 and A2) are based on this technique. 

The codeword closest to the received word in terms of the following metric 
is the maximum-likelihood solution we want to find. 

Definition 1. Let s- = (s^^, . . . , s-;) — be the symbol obtained by using hard 
deeision (s^ 0, 7—) on Vi = {rn, . . . ,ru), the ith received symbol after quan- 

tisation. The distance between a received word r = (ri, r 2 , . . . , r„) and a word 
c = (ci, . . . , c„) — F”, with a = (cii, . . . , Oil) — Fg, is defined as 

n I I 

dist(r, c) = ^(distsym(ri, Ci)) where distsym(ri, Ci) = ^ ^ 

i=l j = l j = l 

Furthermore, all algorithms produce a continuous stream of possible solutions 
which are subjected to a stopping criterion that, if satisfied, is sufficient (though 
not necessary) to guarantee a maximum-likelihood solution [4], in which case 
the decoding stops. Since we are concerned here with RS codes, any k symbols 
may be used as an information set. Hence we simply sort the symbols according 
to reliability (see Chapter 3) and, in algorithm Al, we use the k most reliable 
as the information set. A2 repeats Al using the k least reliable symbols unless 
a maximum likelihood solution has already been found by Al. 

Fossorier and Lin’s implementation of the Dorsch algorithm checks error 
patterns corresponding to i errors in the information set. This has been termed 
order-j reprocessing [3]. In our version, we take a slightly different approach 
which is closer to the original Dorsch algorithm. Our order for testing the error 
patterns to be added to the chosen information set is the proximity of the re- 
sulting sequence to the corresponding part of the received word. The index used 
is the generalisation of ’dist’ to different length sequences which takes the sum 
of all the ’dist gym’s over the symbols of the sequence. This is achieved by using 
a stack-type algorithm, whereby stacks of sequences of different lengths are kept 
in storage, ordered according to the index. A sequence from the stack of lowest 
index is extended in q different ways by appending a symbol, the indices of the 
resulting sequences are calculated and they are each put in the appropriate stack. 
The memory requirement of this implementation is determined by the maximum 
number of decoding tries. Let MDT be this maximum and DT be the number 
of decoding tries so far. Then we only need to keep MDT — DT information sets 
of smallest index in our array as none of the others will be used. 

Our third algorithm (A3) simply applies Al and, if that algorithm does not 
produce a maximum-likelihood solution, then a Chase-style algorithm is applied 
to the sorted word, i.e. we apply a hxed number of error patterns of least distance 
to the least reliable symbols and then use an algebraic decoder to decode. This 
approach has already been applied successfully to binary codes by Fossorier and 
Lin [5]. 




292 Stephan Wesemeyer, Peter Sweeney, and David R.B. Burgess 



3 Sorting 

All the algorithms depend on sorting the received symbols according to some 
reliability measure. In the case of binary codes, Fossorier and Lin showed that 
on an AWGN and on a Rayleigh fading channel with BPSK modulation, the 
absolute value of the received symbol is the most appropriate choice [3]. The 
higher that value is, the more reliable hard decision on the received symbol will 
be. With RS or indeed any code whose symbols come from a non-binary finite 
field we need to find a slightly different approach. In such a case, each ’received 
symbol’ will, in fact, be a string of symbols which, between them, indicate the 
binary representation of the ’received symbol’. 

Definition 2. Let r = (ri,...,n) with 0 — n — 7 be a reeeived symbol after 
quantisation and define 

i 

Reli(r) = ^ -3.5 — r^— Rel 3 (r) = min— 3.5 — — 1 — i — I — 

i 

and Rel 2 (r) = R(hc!(ri)^i), where hd{j) = 

i=l 

The natural generalisation of the reliability measure of the binary case is to 
add the absolute values of the symbols in the string, thus obtaining an overall 
reliability of the ’received symbol’. As we use 8-level uniform quantisation this 
translates into ReR above. Another approach is to use Bayes’ rule. One can 
easily determine the probability P{j-Q) (resp. P(j4)) of a received bit being 
quantised to level j given that a 0 (resp. a 1) was transmitted. From that we can 
work out the probability P(0R) (resp. P{l-f)) that a 0 (resp. 1) was transmitted 
given that we are in level j. Hence we arrive at ReR. Lastly, the most basic 
approach simply takes the least reliable bit in a symbol and uses its value as the 
overall reliability of the symbol (ReR). These three reliability measures were felt 
to be the most natural ones. It can easily be seen that the higher the computed 
reliability of a symbol is, the more likely it is to be correct. 

Figure 1 (respectively Figure 2) contains the results for a [16,8, 9] ([16, 12, 5]) 
extended RS code over the AWGN channel (see Section 6.2 for the Rayleigh chan- 
nel results), decoded using algorithm A1 with a maximum number of decoding 
tries corresponding to the number of order-2 (order-2 and order-1) reprocess- 
ing attempts with and without sorting. Note that, to compute the probabilities 
accurately for ReR, we need to know at which signal-to-noise ratio (SNR) the 
bits were transmitted. As this information is not always available in practice, we 
computed the probabilities for a SNR of IdB adjusted by the code rate, R say, 
i.e. SNR= R — 10°'^ and used these values throughout. (The simulations showed 
that - if anything - this approach proved slightly better than using the exact 
values for the different SNRs.) 



f 0 : 0 - J - 3 
|l : 4-J-7 




Some Soft-Decision Decoding Algorithms for Reed- Solomon Codes 293 




Fig. 1. Sorted vs unsorted [16,8,9] ex- 
tended RS code - 529 decoding tries 



Fig. 2. Sorted vs unsorted [16, 12, 5] ex- 
tended RS code - 1177 and 49 decoding 
tries 



As can be seen all reliability measures result in a marked improvement over 
the unsorted case. The reason why Reis is slightly worse than the other two 
(except in the case of 1177 decoding tries for the higher rate code) can be ex- 
plained by the observation that the number of different reliability levels attached 
to each symbol in that method is rather low (4 compared to 26 for Reli and 35 
for Rel 2 ). At 1177 decoding tries, the algorithm performs close to maximum- 
likelihood decoding in any case - it is not important whether or not the least 
distorted symbols are used as an information set. 

Because there was no significant difference between sorting the symbols of 
the received words according to Reli or Rel 2 we used sorting by ReR in all the 
remaining simulations. 

4 Number of Decoding Tries 

The most crucial feature of the proposed algorithms is the number of decoding 
tries they entail. The more decoding tries the more likely it is that we find the 
maximum-likelihood solution. However, as Fossorier and Lin [3] demonstrated 
the actual gain obtained from further decoding tries has to be measured against 
the extra computation involved. 

Figure 3 is an example of how the maximum number of decoding tries (using 
algorithm Al) after sorting (with respect to ReR) can affect the performance 
of a code and how this performance compares to the unsorted case. Note that 
41449, 5489, and 529 correspond to the number of decoding tries given by order- 
4, order-3, and order-2 reprocessing respectively. There is a marked improvement 
of about IdB going from 529 decoding tries to 5489 but only a slight improvement 
of roughly 0.25dB when 41449 attempts are used instead of 5489 which does not 
justify the almost 8-fold increase in number of decoding tries. However, even then 
the eomplexity of the proposed algorithm is several orders of magnitude lower 





294 Stephan Wesemeyer, Peter Sweeney, and David R.B. Burgess 





Fig. 3. [16, 8, 9] extended RS code - dif- 
ferent numbers of permitted decoding 
tries 



Fig. 4. [16, 12, 5] extended RS code - 
different numbers of permitted decod- 
ing tries 



than that of the Viterbi algorithm which would have to deal with 16® « 4.3 -40® 
states for this code. 

Figure 4 shows the effect of different numbers of permitted decoding tries 
(using algorithm Al) for a [16, 12, 5] extended RS code. This time we restricted 
the number of decoding tries to lie in between 49 and 1177(= number of decoding 
tries for order-1 and order-2 reprocessing respectively). Note that decoding after 
sorting with a maximum of 250 decoding tries slightly outperforms unsorted 
decoding with maximum 1177 decoding tries and there is only a very slight 
improvement going from 500 to 1177 decoding tries. 

5 Measures of Complexity 

The complexity of each algorithm is expressed in terms of additions, multiplica- 
tions and comparisons which, for simplicity, are considered equivalent operations. 
All the estimates we give are based on our implementation; the idea is to give 
a rough idea of how much computational effort has to be expended on decod- 
ing. To enable us to compare the results with other algorithms and to eliminate 
the code rate as a factor, for each code considered we measure the complexity 
in operations per information bit. We compare our results throughout with the 
Viterbi algorithm applied to a convolutional code of rate R = 0.5 and memory 
k = 7 even though the rate of the RS codes vary. Higher rate convolutional codes 
are usually obtained by puncturing which does not greatly affect the number of 
operations which can be estimated at 128 comparisons (= number of states) plus 
256 additions (= number of branches). 

Our implementation of the Al and A2 algorithms require, before the re- 
encoding starts, computing the metric and some values for the stopping criterion 
(n(g — 1)® comparisons and nlq additions), sorting the symbols according to 
reliability (approximately nlog 2 (n) comparisons) and reducing a {k,n) matrix to 





Some Soft-Decision Decoding Algorithms for Reed- Solomon Codes 295 



reduced echelon form (REF) {nk"^ multiplications and nk{k— 1) additions). This 
latter is performed twice in A2 (two directions of decoding), so the preliminary 
operations for algorithm Ar (r=l,2) total: 

PopAr = u(log 2 (n) + Iq + (q — 1)^ + r{k^ + k{k — 1))). (1) 

For each decoding try (both algorithms), there are the following approximations: 
re-encoding ((n — k)k multiplications and (n — k){k— 1) additions), determining 
the distance from the received word ((n — 1) additions), determining whether 
the stopping criterion is satisfied ((n + 2 + nlog 2 (n) comparisons and n — fc + 1 
additions), determining the best solution (1 comparison per decoding try after 
the first). Thus altogether the algorithm Ar (r=l,2) requires the following total 
operations (where DT is the number of decoding tries). 



TopAr = PopAr + DT{2{n — k)k + 2n + nlog 2 (u) + 2) + {DT — 1) (2) 



The estimates for our implementation of the Chase part of A3 are based on a 
very general algorithm presented in Stichtenoth [6] and due to A.N.Skorobogatov 
and S.G.Vladut. The following are the operations per decoding try: Computing 
the syndrome ((n — k)n multiplications and (n — k){n — 1) additions), checking 
whether the syndrome is 0 (n — fc comparisons), reducing the (t, f + 1) syndrome 
matrix to REF {{t + l)t^ multiplications and {t + l)t{t — 1) additions), finding 
the error locator polynomial {t{t + l)/2 multiplications and the same number of 
additions), determining the roots of that polynomial (a maximum of qt multipli- 
cations, qt additions and q comparisons), finding the error values {{t + l){n — k)^ 
multiplications and {t + l){n — k){n — k + 1) additions), obtaining the codeword 
{t additions) and computing the distance from the received word and applying 
the stopping criterion ((n — 1) + {n — k + 1) additions and (n + 2 + nlog 2 (n)) 
comparisons). Thus, denoting by DTC the number of decoding tries involved 
in the error-only decoder, the total number of operations required for the A3 
algorithm is given by 



TopA3 = TopAl + DTC-{ 2{n — k)n + (t + l)(2t^ + 2q-\- [n — k){2{n — k) + 1)) 

-ft + 3n — fc + 2 + g + n log 2 (n)) (3) 



As all our algorithms apply a stopping criterion it is easy to see that the 
higher the SNR, the fewer the decoding attempts needed on average. In our 
simulation we computed the average number of decoding tries per received word 
which is then used to compute the total number of operations as given by the 
above formulae. It is worth noting that the complexity of all three algorithms is 
dominated by the number of decoding tries. Only for high SNRs, when the aver- 
age number of decoding tries becomes very small, do the preliminary operations 
contribute significantly to the average number of operations per information bit. 




296 Stephan Wesemeyer, Peter Sweeney, and David R.B. Burgess 



6 Comparing the Three Decoding Algorithms in Terms 
of Performance and Complexity 

6.1 AWGN Channel 

Figures 5, 7 and 9 show the performance of the algorithms when applied to 
respectively a [16, 8,9], a [16, 10, 7] and a [16, 12, 5] extended RS code. The num- 
bers next to the various algorithms indicate the number of permitted decoding 
tries, e.g. for the [16,8,9] code, the A2 algorithm was run with maximum 1500 
decoding tries for each side, and the A3 algorithm was run with 529 (first num- 
ber) Dorsch-style decoding tries permitted and the same maximum number of 
Chase-style decoding tries. We have included the performance of Forney’s GMD 
[7] and an error-only decoder to enable the reader to compare the new algo- 
rithms with two standard ones. Tables 1, 2 and 3 show how many decoding tries 
were needed for each algorithm at various SNRs. Figures 6, 8 and 10 show the 
complexity of the algorithms based on the figures in the tables. 



Table 1. Ave. num. of decoding tries ([16,8,9] extended RS code) 



Algorithm 


IdB 


2dB 


3dB 


4dB 


5dB 


Al [41449] 


40018 


36407 


27781 


14732 


4353 


Al[3000] 


2912 


2636 


1985 


1076 


316 


A2[1500, 1500] 


2902 


2666 


2006 


1063 


310 


A3[529, 529] 


[519, 519] [462, 462] [356, 355] [189, 187] [57, 55] 





Fig. 5. [16, 8, 9] extended RS code de- Fig. 6. Complexity of the algorithms 
coded using Al, A2, and A3 ([16,8,9] extended RS code) 



Comparing Figure 5 with Figure 7, in terms of the BER at various SNR there 
is hardly any difference between the [16,8,9] and the [16, 10,7] codes, probably 





Some Soft-Decision Decoding Algorithms for Reed- Solomon Codes 297 



Table 2. Ave. num. of decoding tries ([16, 10,7] extended RS code) 



Algorithm 


IdB 


2dB 


3dB 


4dB 


5dB 


Al[3000] 


2865 


2513 


1805 


882 


229 


A2[1500, 1500] 


2908 


2460 


1811 


883 


229 



A3[821,301] [795,291] [693,254] [497,181] [241,87] [64,22] 




Fig. 7. [16, 10, 7] extended RS code de- Fig. 8. Complexity of the algorithms 
coded using Al, A2, and A3 ([16, 10, 7] extended RS code) 



Table 3. Ave. num. of decoding tries ([16, 12,5] extended RS code) 



Algorithm 


IdB 


2dB 


3dB 


4dB 


5dB 


6dB 


Al[500] 


482 


401 


305 


145 


44 


7 


A2[250,250] 


477 


403 


304 


145 


44 


7 



A3[49, 17] [46, 15] [41, 14] [29, 10] [16, 5] [6, 2] [2, 1] 




Fig. 9. [16, 12, 5] extended RS code de- Fig. 10. Complexity of the algorithms 
coded using Al, A2 and A3 ([16, 12, 5] extended RS code) 





298 Stephan Wesemeyer, Peter Sweeney, and David R.B. Burgess 



due to the fact that these decoding algorithms are suboptimal and hence do not 
achieve the full potential of the lower rate code. In addition, in both Figure 6 and 
Figure 8, the pair of curves “yll[3000]” and “yl2[1500, 1500]” overlap. However, 
whereas the A3 algorithm appears to be the best choice for the [16, 10, 7] code 
in terms of both performance and complexity, for the rate 1/2 code, A2 slightly 
outperforms the other two algorithms and (like A3) allows a straightforward 
parallel implementation, so it is the preferable choice for this code. 

In the case of the [16, 12, 5] extended RS code the A1 algorithm performs 
slightly better than the other two. However, it is worth noting that the A3 
algorithm achieves good results with a very low maximum number of decoding 
tries and that by slightly increasing the number of decoding tries for the A3 
algorithm, from [49, 17] to [100,50], say, one gets a similar performance to the 
A1 algorithm while still having a lower complexity and the advantage of being 
able to implement it in parallel. This time even for low SNRs the complexity 
of A3 is only slightly worse than that of the Viterbi algorithm. At higher SNRs 
all algorithms achieve good results with few decoding tries resulting in very few 
operations per information bit. 

6.2 Rayleigh Fading Channel ([16,8,9] Extended RS Code Only) 

In our simulations we have assumed a perfectly interleaved Rayleigh fading chan- 
nel, i.e. the fading amplitudes for each bit were completely independent and no 
channel side information was used in the decoding. We have used the same metric 
as for the AWGN channel. 



Table 4. Ave. num. of decoding tries ([16,8,9] extended RS code (Rayleigh 
channel)) 



Algorithm 


2dB 


3dB 


4dB 


5dB 


6dB 


7dB 


8dB 


A 1 [3000] 


3000 


2929 


2865 


2670 


2383 


1941 


1397 


A2[1500, 1500] 


3000 


2964 


2879 


2726 


2359 


1944 


1400 


A3[529, 529] 


[529,529] [518,518] [506,506] [475,475] [426,425] [346,345] [250,248] 



Figure 11 shows that the results for the Rayleigh fading channel do not 
differ very much from the ones we obtained for the AWGN channel. We see, 
as for AWGN in Section 3, that sorting with respect to the reliability measure 
Reli or Rel 2 (the two curves overlap) is better than Reis. Furthermore, as in the 
AWGN channel, sorting with 529 decoding tries yields a better performance than 
unsorted decoding with 5489 decoding tries. For the Rayleigh fading channel, 
sorting yields a coding gain of about 2dB when compared to the unsorted case 
with the same number of decoding tries. This time it seems that the algorithms 
A1 and A2 perform identically. However, looking at the computed HER values, 
there is an indication that A2 might outperform A1 slightly for SNRs higher than 
these. In terms of complexity - see Figure 12 and Table 4 - the only difference 




Some Soft-Decision Decoding Algorithms for Reed- Solomon Codes 299 




Fig. 11. [16, 8, 9] extended RS code de- Fig. 12. Complexity of algorithms 
coded using Al,A2,A3 (Rayleigh) ([16, 8, 9] extended RS code (Rayleigh)) 




from the AWGN channel is that the average number of decoding tries decreases 
more slowly which is obviously due to the nature of the Rayleigh fading channel. 
Note that, again, the curves for “Al[3000]” and “A2[1500,1500]” overlap. 

7 Conclusion 

In this paper we have introduced three suboptimal decoding algorithms for RS 
codes all of which achieve a reduction in complexity of several orders of magni- 
tude over the Viterbi algorithm for these codes whilst keeping the loss in coding 
gain very small. These algorithms are not restricted to RS codes and could be 
applied to any linear block code. They achieve their full potential with high rate 
codes where a small number of decoding tries yields almost maximum-likelihood 
decoding performance with low decoding complexity. 

References 

1. Wesemeyer S. and Sweeney P.: Suboptimal soft- decision decoding for some RS- 
codes. lEE Electronics Letters 34(10) (1998) 983-984 

2. Dorsch B.G.: A decoding algorithm for binary block codes and J-ary output chan- 
nels. IEEE Trans. Inform. Theory IT-20(3) (1974) 391-394 

3. Fossorier M.P.C. and Lin S.: Soft- decision decoding of linear block codes based on 
ordered statistics. IEEE Trans. Inform. Theory 41(5) (1995) 1379-1396 

4. Taipale D.J. and Pursley M.B.: An improvement to generalized- minimum-distance 
decoding. IEEE Trans. Inform. Theory 37(1) (1991) 167-172 

5. Fossorier M.P.C. and Lin S.: Complementary reliability- based decodings of binary 
linear block codes. IEEE Trans. Inform. Theory 43(5) (1997) 1667-1672 

6. Stichtenoth, H.: Algebraic function fields and codes. Springer- Verlag, 1993 

7. Forney Jr, G.D.: Generalized minimum distance decoding. IEEE Trans. Inform. 
Theory IT-12 (1966) 125-131 






Weaknesses in Shared RSA Key Generation 

Protocols 



Ik * Ik 1 ** k 

1 



Department of Mathematics, 

Royal Holloway, University of London, 

Egham, Surrey TW20 OEX, United Kingdom. 

{S .Blackburn, M. Burmester ,S . Galbraith }@rhbnc .ac.uk, 
sblakewi@certicom.com 



Abstract. Cocks proposed a protocol for two parties to jointly generate 
a shared RSA key. His protocol was designed under the assumption that 
both parties follow the protocol. Cocks proposed a modification to the 
protocol to prevent certain attacks by an active adversary. The paper 
presents attacks that show that the Cocks protocols are not secure when 
one party deviates from the protocol. 



1 Introduction 

1 

k 

1 1 

k 1 

11 1 
9 1 1 

1 



1 



k 



1 



k z k 

k 



1 



k 



1 1 



k 



k 



1 




1 

11 



k 



kl 



1 



* The author is supported by an EPSRC Advanced Fellowship. 

** The author is an EPSRC CASE student sponsored by Racal Airtech. 
* * * The author thanks the EPSRC for support. 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 300-306, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




Weaknesses in Shared RSA Key Generation Protocols 



301 



kl 



k 1 



k 

1 k 



1 k 

1 



1 k 



2 The Cocks Protocols 



11 1 



2.1 The Asymmetric Cocks Protocol 

k 1 11 

1 Pa go 1 

Pb qb 11 1 

IN Pa Pb Qa qb 11 

1 1 Ma 1 6a 

k k ea 1 1 i 

k 1 k da 

1 Ma 1 1 z TV 1 1 

Po“ Ma ql’^ Ma 




302 



Simon R. Blackburn et al. 



1 1 1 












*^l,a 


Pl"ql" PaQb 


Ma 






<^2,a 


P^3a“ PbQa 


Ma 






•^3, a 


PbQb 


Ma ■ 








K 


^i,3 


,a ^ 


5 


j K 




1 Ma 












K 














Ma 


11 i 


•> ? 






J = 1 












K 1 1 










K 


1 












1 1 K 




b‘'i,ablija 


Ma 






1 


1 












1 


1 












hj 








111 1 


Vi, 3, a 


Me 


1 






Vi, 3 


,a 0i,3,O'0‘i^a 


Ma 








1 












3 K 












PaQa ^ ^ Vi,j,a 


PaQa PaQb 


PbQa PbQb N 


M, 


t • 


i=l j=l 












<N <Ma 1 




N 


1 






1 N 












N 1 1 


1 






N 






1 








kl 




1 


N 








11 1 


11 


1 e 




1 




da df) 


d 




1 


Pa 


qa 


Pb qb 1 e 




kl 








Security. 


1 


1 






1 


1 


1 1 








K 


1 1 K 


1 




1 




11 



^^3 ^--\K 

Z^i=l 2^j=l yi,j,a 

PaQb PbQa PbQb k K 1 



K 



> M, 



2 




Weaknesses in Shared RSA Key Generation Protocols 



303 



11 

1 K 

Pa Qa 



K 



1 k 



Pa“ 9^ 1 

1 N 



1 



1 PaQb PbQa Pbqb 



1 N 
Pb Qb 



1 



1 N 
1 1 
1 

1 



2.2 The Symmetric Protocol 

k k 

1 1 



N 1 



1 1 



N 



b 11 



11 1 



1 1 



1 1 1 
1 1 

1 



1 N 



1 Mb 



N 



3 Attacks on the Cocks Protocols 



3.1 Dishonest Alice in the Symmetric Protocol 



k k 

1 

N Ilk 



N 



1 



1 11 

pI” Mb ql” 

Ik 1 

1 1 
Ik 1 



11 



1 1 

11 IN 1 

Mb 1 N 

Pb qt 11 
N p q N 

P q 

Pb P - Pa Qb q - qa k 

1 1 

Pb Pb Mb 

qb qt^ Mb . 




304 



Simon R. Blackburn et al. 



1 



1 Pb Pb Qb ^b 

1 1 



N p q 

Pb qb N Pa Pb qa qb 

K 1 

-^i,j,b -'^/Mb'^ -i- 



N pq 11 1 



j-K- 



3 K 

T.Y. Vi,j,b N - Pbqb Mb . 

i=i j=i 



1 ^^,pb 



^i,j,b yi,j,b Mb . 



1 



Mb 



kl 

1 N 



1 



Pbqb 



11 1 

Ik Pb qb 



1 1 



yij,b 

1 N 

N 

N 

1 



1 1 



N 



N 



N 



1 1 
11 1 



1 fl 



3.2 Cheating during the Boneh-Pranklin Test 



N 



k 



1 

1 




k 





1 1 1 
k 1 1 

1 

N 1 

k 1 



1 1 
1 



N 

N 

N 



1 

11 11 



N 11 

1 

Pb qt 



N 1 




Weaknesses in Shared RSA Key Generation Protocols 



305 



3.3 Dishonest Bob in the Asymmetric Protocol 



Ma 1 



1 

Vi,j,a - 

1 1 



1 Ma 



1 






3 K 

^ PaQa 

i=l j=l 



Ma 



1 1 



PaQa 



-'a HCL 



1 



N 



kl 



1 1 
1 



Ma q"a 

Pb T 

qb 1 



Ma 



Pb Pa qa 



% 



1 1 



1 Ma 
1 






Cl C2 C3 

k Pa qa 

1 

11 



1 ^ Pb Qa qb Pa 

1 

N 



1 1 



1 1 1 



Pb 



N 

1 N 



1 N 



3.4 Cheating by a Choice of Pa, Qa 



Pa Qa 



1 






1 



1 1 



^i,j,a Ma 

1 

1 k 



11 



1 1 



N 



1 Ma Mb 



Ma 



1 



4 Acknowledgements 



Ik k 



k 



1 



z 



11 1 

11 




306 



Simon R. Blackburn et al. 



References 

1. M. Bellare and S. Goldwasser, Lecture Notes in Cryptography. 1996. Available at 
http : //www-cse .ucsd. edu/users/mihir/ 

2. S.R. Blackburn, S. Blake-Wilson, M. Burmester and S.D. Galbraith, 
‘Shared generation of shared RSA keys’ Technical report GORR 98-19, Univer- 
sity of Waterloo. 

Available from http://www.cacr. math. uwaterloo.ca/ 

3. D. Boneh and M. Franklin, ‘Efficient generation of shared RSA keys’, in B.S. Kaliski 
Jr., editor. Advances in Cryptology - CRYPTO ‘97, Lecture Notes in Computer 
Seience Vol. 1294, Springer- Verlag, 1997, pp. 425-439. 

4. G. Gocks, ‘Split knowledge generation of RSA parameters’, in M. Darnell, editor. 
Cryptography and Coding: 6th IMA Conference, Leeture Notes in Computer Seience 
Volume 1355, Springer- Verlag, 1997, pp. 89-95. 

5. G. Gocks, ‘Split generation of RSA parameters with multiple participants’, 1998. 
Available at http://www.cesg.gov.uk 

6. D.E. Denning and D.K. Branstad, ‘A taxonomy of key escrow encryption schemes’. 
Communications of the A.C.M., Vol. 39, No. 1 (1996), pp. 24-40. 

7. A. Fiat and A. Shamir, ‘How to prove yourself: Practical solutions to identifica- 
tion and signature problems’, in A.M. Odlyzko, editor. Advances in Cryptology - 
CRYPTO ‘86, Lecture Notes in Computer Science Vol. 263, Springer- Verlag, 1987, 
pp. 186-194. 

8. Y. Frankel, P.D. MacKenzie, M. Yung, ‘Robust efficient distributed RSA key gen- 
eration’, In Proc. of 30th STOC, 1998, pp. 663-672. 

9. R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, ‘Robust and efficient sharing 
of RSA functions’, in N. Koblitz, editor. Advances in Cryptology - CRYPTO ‘96, 
Lecture Notes in Computer Science 1109, Springer- Verlag, 1996, pp. 157-172. 

10. N. Gilboa, ‘Two party RSA key generation’, in M. Weiner, editor. Advances in 
Cryptology - CRYPTO ’99, Lecture Notes in Computer Science 1666, Springer- 
Verlag 1999, pp. 116-129. 

11. G. Poupard, J. Stern, ‘Generation of shared RSA keys by two parties’. In ASI- 
ACRYPT ’98, 1998, pp. 357-371. 




Digital Signature with Message Recovery and 
Authenticated Encryption (Signcryption) - 
A Comparison 



Chan Yeob Yeun* 



Information Security Group 
Royal Holloway, University of London 
Egham, Surrey TW20 OEX, UK 
c . yeunOrlibnc .ac.uk 



Abstract. Mitchell and Yeun [8] showed that Chen’s scheme [2] is not 
a digital signature scheme with message recovery, whereas it should be 
called an authenticated encryption scheme. Also note that similar re- 
marks have been made in [10] regarding schemes recently proposed by 
Zheng. Thus we will show that there are major differences between a 
digital signature scheme with message recovery and authenticated en- 
cryption scheme by proposing a digital signature with message recovery 
scheme and signcryption scheme as an example for comparison. The secu- 
rity of the schemes is based on intractability of solving the Diffie Heilman 
problem as well as finding a collision on one-way hash-function. 



1 Introduction 

In 1976, Diffie and Heilman [3] introduced the public-key cryptosystem which is 
based on the discrete logarithm problem (DLP). The intractability of the DLP 
is equivalent to the security of the ElGamal public-key scheme [4] and its digital 
signature scheme. 

Among the current known signature schemes, RSA [11] is unique in the sense 
that the signature and encryption functions are inverse to each other. For this 
reason, an RSA signature can be used with message recovery. On the other hand, 
a discrete logarithm based signature, such as ElGamal [4] and DSS [1], cannot 
provide message recovery. The benefits of the message recovery are applications 
without a hash function and smaller bandwidth for signatures. In 1993, Nyberg 
and Rueppel [9] proposed the first digital signature with message recovery based 
on the discrete logarithm problem. 

In many applications it is necessary to provide both confidentiality and in- 
tegrity/origin protection for a transmitted message. This can be achieved using 
a combination of encryption and a digital signature. However, this doubles the 
cost of protection, and motivates the work of Horster, Michels and Petersen 

* The author is supported by a Research Studentship and Maintenance Award from 
RHBNC. 



M. Walker (Ed.): IMA - Crypto & Coding’99, LNCS 1746, pp. 307-312, 1999. 
(£) Springer- Verlag Berlin Heidelberg 1999 




308 



Chan Yeob Yeun 



[5] who introduced an authenticated encryption scheme, designed to provide a 
combination of services at reduced cost. 

Subsequently Lee and Chang [6] modified the HMP scheme to remove the 
need for a one-way function, whilst keeping communication costs the same. This 
scheme may be advantageous in environments where implementing a one-way 
function is difficult, e.g. in a smart card with limited memory and/or computa- 
tional capability. 

More recently, Chen [2] introduced a variant of the Lee and Chang scheme, 
which is claimed to provide the same security level with a simpler specification. 
However, some of the claims made by Chen are incorrect as Mitchell and Yeun [8] 
pointed out that Chen’s scheme [2] is not a digital signature scheme with message 
recovery, whereas it should be called an authenticated encryption scheme. Also 
note that similar remarks have been made in [10] regarding schemes recently 
proposed by Zheng. 

2 Comparison for a Digital Signature with Message 
Recovery and a Signcryption 

We observe that there are major differences between a digital signature scheme 
with message recovery (see [9]) and authenticated encryption schemes (see [5,6]) 
as follows: 

2.1 A Digital Signature with Message Recovery 

Basically, a digital signature with message recovery scheme should satisfies the 
following properties. 

— Data integrity/origin protection: This is property whereby data has 
not been altered in an unauthorised manner since the time it was created, 
transmitted, or stored by an authorised source as well as protecting one’s 
origin. 

— Nonrepudiation: It is computationally feasible for the TTP to settle a 
dispute between the signer and the recipient in an event where the signer 
denies the fact that he/she is the sender of the signed text to the recipient. 
To compare with an authenticated encryption (signcryption), the signer do 
not reveal any his/her private keys to the TTP. 

Thus, in a digital signature with message recovery scheme, the trusted third 
party (TTP) can always verify the signatures which are sent by the receiver B 
without B having to divulge any long term secret information to the TTP. 

2.2 An Authenticated Encryption (Signcryption) 

Basically, an authenticated encryption (signcryption) scheme should satisfies the 
following properties. 




Digital Signature with Message Recovery and Authenticated Encryption 309 



— Confidentiality: It is computationally infeasible for an adaptive attacker 
to find out any secret information from signcrypted text. 

— Data integrity/origin protection: It is computationally infeasible for an 
adaptive attacker to masquerade as the signcrypter in creating a signcrypted 
text as well as protecting one’s origin. 

— Nonrepudiation: It is computationally feasible for the TTP to settle a 
dispute between the signcrypter and the recipient in an event where the 
signcrypter denies the fact that he/she is the sender of the signcrypted text 
to the recipient. To compare with a digital signature with message recovery, 
the signcrypter reveal any his/her private keys to the TTP. 

Thus, in a authenticated encryption schemes, only the sender A and the receiver 
B can only verify a protected message sent from A to B. This is because B can 
only verify such a message with the aid of his private decryption key. Therefore, 
one can deduces that this is an unacceptable property for a signature scheme as 
discussed in section 2.1, where one would normally expect signature verification 
to be possible without compromise of any private keys. 

In the following, we will propose a digital signature with message recovery 
scheme and signcryption scheme as an example for comparison. The security of 
the systems is related to the security of Diffie-Hellman [3] and that of randomly 
chosen one-way collision resistance hash-function. Assume that Diffie-Hellman 
and one-way collision resistance hash-function are easy to break, then so is the 
proposed schemes. 

3 System Generation 

The key centre selects and publishes the system parameters for public usage. Let 
p be a prime with 2^^^ < p < 2^^^, q a prime divisor of p— 1 with 2^®® < q < 2^®®, 
gi and g 2 (1 < gi,g 2 < p) integers of order q and R a redundancy function (see 
Section 11.2.3 of [7]), and its inverse and h is one-way collision resistant 
hash-function (see Section 9.2.2 of [7]). p,q,gi,g 2 ,R,R^^ and h are publicly 
known. 

Suppose Alice has two private keys Xa^,Xa 2 (1 < Xa^,Xa 2 < q), and two 
public keys: 

-Pai = gi^" mod p, Pa 2 = 92^^ mod p. 

Similarly, suppose Bob has two private keys Xbi,Xb 2 , (1 < < q), and 

two public keys: 



Pbi = mod p, Pb 2 = 92 ^^ mod p. 

In addition, every participant must have a means of obtaining a verified copy 
of every other participant’s public signature verification keys. This could, for 
example, be provided by having the key centre certify every participant’s public 
keys, and having every participant distribute their certificate with every signed 
message they send. 




310 



Chan Yeob Yeun 



4 A Digital Signature with Message Recovery Scheme 



To sign a message m Zp, Alice randomly chooses two integers k\ and k2, 
1 < k\,k2 < q and computes the following: 



m = R{m), 

r = m §2^^^ mod p, 

Si = ki — h{r)XAi mod g, 

and 

■S2 = k,2- h{r)XA2 mod q. 

Then Alice sends Sig(m) = (r, si, S2) to Bob. After receiving Sig(m), the message 
can be recovered by Bob as follows: 

m §2 '^ mod p. 

After checking the validity of m , the message can be recovered by computing 

m = R^^{m ). 



This digital signature is secure if one selects a secure redundancy function 
R and a randomly chosen one-way collision-resistant hash-function h are used 
and providing that solving two discrete logarithms problems are computationally 
infeasible. 

Observe that this scheme is a digital signature with message recovery as 
discussed in section 2 . 1 , i.e. it satisfies the data integrity/ origin protection and 
nonrepudiation. The trusted third party (TTP) can always verify the signatures 
which are sent by the receiver Bob without Bob having to divulge two long term 
private keys to the TTP. 



5 An Authenticated Encryption (Signcryption) Scheme 



Suppose that Alice wants to send a message m to Bob. Then she first chooses 
two random integers ki and /c2, 1 < fci, /c2 < 9 and computes the following: 



Ki = mod p) mod q, 

K2 = {PbI mod p) mod q, 
rn = R{m), 
r = m K\ — K2 mod p, 
,si = ki — h{r)XAi mod q 



and 



S2 = k2 — h{r)XA2 mod q. 




Digital Signature with Message Recovery and Authenticated Encryption 311 



Then Alice sends (r, si,S2) to Bob. After receiving (r, si,S2), Bob computes 
the following: 



PA^B^ = mod p, 

PA2B2 = modp, 

Ki = {Pb\p 1 % modp) modg 

and 

K2 = {PbIPaX mod p) mod q. 

Thus, he computes 



ATf ^(r + K2) mod p = m mod p. 

After checking the validity of m , the message can be recovered by computing 

m = R^^{m ). 

This authenticated encryption (signcryption) scheme is secure if one chooses a 
secure redundancy function R and a randomly chosen one-way collision- resistant 
hash-function is used and providing that solving the discrete logarithms are 
computationally infeasible. 

Observe that this scheme is a authenticated encryption (signcryption) scheme 
as discussed in section 2 . 2 , i.e. it satisfies confidentiality, data integrity/origin 
protection and nonrepudiation. Only the sender Alice and receiver Bob can verify 
an authenticated encryption message sent from Alice to Bob. This is because Bob 
requires his private keys for verification. 

6 Conclusion 

We have shown that there are major differences between a digital signature 
scheme with message recovery and authenticated encryption scheme. We also 
have proposed a new digital signature with message recovery scheme which sat- 
isfies the properties of data integrity /origin protection and nonrepudiation, and 
a new signcryption scheme which satisfies the properties of confidentiality, data 
integrity /origin protection and nonrepudiation are an example for comparison. 
The security of these schemes is based on intractability of solving the Diffie 
Heilman problem as well as finding a collision on one-way hash-function. 

7 Acknowledgements 

The author is grateful to Fred Piper for his support, and to Chris Mitchell and 
Mike Burmester for comments on an early draft of the paper. 




312 



Chan Yeob Yeun 



References 

1. The digital signature standard proposed by NIST. Communications of the ACM, 
35(7):36-40, 1992. 

2. K. Chen. Signatrue with message recovery. Electronics Letters, 34(20) :1934, 1998. 

3. W. Diffie and M.E. Heilman. New directions in cryptography. IEEE Transactions 
on Information Theory, 22:644-654, 1976. 

4. T. ElGamal. A public key cryptosystem and a signature scheme based on discrete 
logarithms. IEEE Transactions on Information Theory, 31:469-472, 1976. 

5. P. Horster, M. Michels, and H. Petersen. Authenticated encryption schemes with 
low communication costs. Electronics Letters, 30(15):1212-1213, 1994 

6. W. Lee and C. Chang. Authenticated encryption scheme without using a one-way 
function. Electronics Letters, 31(19):1656-1657, 1995. 

7. A.J. Menezes, P.C. van Oorschot and S.A. Vanstone. Handbook of Applied Cryp- 
tography, CRC Press, 1997 

8. C.J. Mitchell and C.Y. Yeun. Comment-Signature scheme with message recovery. 
Electronics Letters, 35(3):217, 1999. 

9. K. Nyberg and R.A. Rueppel Message recovery for signature schemes based on 
the discrete logarithm problem. In Advances in Cryptography - Proceedings of 
EUROCRYPT ’94, pages 175-190, Springer- Verlag, 1995. 

10. H. Petersen and M. Michels. Cryptanalysis and improvement of signcryption 
schemes. lEE Proceedings on Computers and Digital Techniques, 145:149-151, 
1998. 

11. R.L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures 
and public key cryptosystems. Communications of the ACM, 21:120-126, 1978. 




Index 



r 0 

y 

r 00 

00 

r 

r r r 

r 

y 

r 0 

r y 

r r 00 



r 



r 



r 



r 



0 



y 



r 



0 



0 



rr 



r 



rr 

0 

0 



y 0 



r 0 

r 



r 



r 



00 



0 



r 

r 

y 



0 



r r 



0 



ry 

r r 

y r 0 



0 



r y 



r 




